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(57) A data processing apparatus a data processing 
method efficiently ascertain that data are valid, prevent 
encryption processing key data from leaking, eliminate 
illegal use of contents data, restrict contents utilization, 
apply a different plurality of data formats to contents and 
efficiently execute reproduction processing of com- 
pressed data. The verification process of partial data is 
executed by collating the integrity partial data as check 
values for a combination of partial data of a content, and 
the verif ication process of the entirety of the combination 
of partial data is executed by collating partial-integrity- 
check-value-verifying integrity check values that verify 
the combination of the partial integrity check values. 
Master keys to generate individual keys necessary for 
a process of such as data encryption are stored in the 
storage section and keys are generated as required. An 
illegal device list is stored in the header information of 
a content and referred to when data is used. Keys spe- 
cific to a data processing apparatus and common keys 
are stored and the keys are selectively used according 
to the content use restriction. Plural content blocks are 
coupled, and at least a part of the content blocks is ap- 
plied to an encryption process by an encryption key 
Kcon, then encryption key data that is the encryption key 
Kcon encrypted by an encryption key Kdis is stored in 
the header section. A content data is made of compres- 
sion data and an expansion processing program or a 



combination of types of compression programs and the 
reproducing apparatus can determine an expansion 
program applicable to a compressed content. 
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Description 

Technical Field 

[0001] The present invention relates to a data 
processing apparatus, a data processing method, and 
more particularly, to a method and apparatus for verify- 
ing that data constituting a data content are valid, that 
is, checking whether or not the data have been tam- 
pered, as well as a method for imparting verification val- 
ues, and also to an apparatus and a method capable of 
enhancing security by generating individual keys nec- 
essary for encryption processing using master keys cor- 
responding to their respective individual keys. Moreover 
the present invention provides a configuration that elim- 
inates illegal usage of contents data ormore specifically, 
relates to an apparatus and a method capable of iden- 
tifying illegal reproduction devices and eliminate illegal 
use of contents. Furthermore, the present invention re- 
lates to an apparatus and a method capable of easily 
setting contents only available to the data processing 
apparatus using contents data and contents data also 
available to other data processing apparatuses based 
on information specific to the data processing appara- 
tus, etc. Still further, the present invention relates to a 
method, apparatus and verification value assignment 
method for verifying the validity of data configuring data 
contents, that is, verifying the presence or absence of 
tampering. 

[0002] Furthermore, the present invention relates to 
a data processing apparatus, a content data generating 
method, and a data processing method that realizes a 
content data configuration enabling to provide and uti- 
lize content data under a high security management in 
a configuration in which data including at least any one 
of voice information, image information and program da- 
ta is applied encryption processing, the data is provided 
to a content user together with various kinds of header 
information, and the content user performs reproduc- 
tion, execution, or storing processing in a recording de- 
vice. 

[0003] Still further, the present invention relates to a 
data processing apparatus, a data processing method 
and a content data generating method for providing a 
configuration for efficiently executing reproduction 
processing in the case in which data contents are com- 
pressed voice data, image data or the like, and more 
specifically for enabling to have a configuration of the 
content data in which compressed data and an expan- 
sion processing program are combined, retrieve and ex- 
tract an applicable expansion processing program 
based on header information of compressed data con- 
tents in which an applied expansion processing program 
is stored as header information to execute reproduction 
processing. 

[0004] Further yet, the present invention relates a 
configuration and method for reproducing various con- 
tents such as sounds, images, games, or programs 
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which are available through recording media such as 
DVDs or CDs or wire or radio communication means 
such as CATV, the Internet, or satellite communication, 
in a recording and reproducing device owned by a user 

5 and storing the contents in an exclusive recording de- 
vice, for example, a memory card, a hard disk, or a 
CD-R, realizing a configuration for imposing use limita- 
tions desired by a content distributor when a content 
stored in the recording device is used, and providing se- 

10 curity such that the distributed content will not be illegal- 
ly used by a third person other than regular users. 

Background Art 

15 DESCRIPTION OF THE RELATED ART 

[0005] Various data such as game programs, sound 
data, image data, or documenting programs (these are 
hereafter referred to as "contents") are now distributed 

20 via a network such as the Internet or via distributable 
storage media such as DVDs or CDs. These distributed 
contents can be stored in a recording device such as a 
memory card or a hard disk which is attached to a re- 
cording and reproducing apparatus such as a Personal 

25 Computer (PC) or a game apparatus that is owned by a 
user so that once stored, the contents can be repro- 
duced from the storage media. 

[0006] Main components of a memory card used in a 
conventional information apparatus such as a video 

30 game apparatus or a PC include a connection means 
for controlling operations, a connector for connection to 
a slot connected to the connection means and formed 
in the information apparatus, a non -volatile memory 
connected to the control means for storing data, and oth- 

35 ers. The non-volatile memory provided in the memory 
card comprises an EEPROM, a flash memory, or the 
like. 

[0007] Various contents such as data or programs 
that are stored in the memory card are invoked from the 
40 non-volatile memory in response to a user's command 
from an information apparatus main body such as a 
game apparatus or a PC which is used as a reproduction 
apparatus or to a user's command provided via a con- 
nected input means, and are reproduced from the infor- 
ms mation apparatus main body or from a display, speak- 
ers, or the like which are connected thereto. 
[0008] Many software contents such as game pro- 
grams, music data, or image data generally have their 
distribution rights held by their creators or sellers. Thus, 
so jn distributing these contents, a configuration is gener- 
ally used which places specified limitations on the us- 
age; that is, the use of software is permitted only for reg- 
ular users so as to prevent unauthorized copying or the 
like; that is, security is taken into consideration. 
55 [0009] One method for realizing limitations on the use 
by a user is a process for encrypting a distributed con- 
tent. This process comprises a means for distributing 
various contents such as sound data, image data, or 
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game programs which are encrypted, for example, via 
the Internet and decrypting a distributed encrypted con- 
tent only for people confirmed to be regular users, the 
means corresponding to a configuration for imparting a 
decryption key. 

[0010] Encrypted data can be returned to available 
decrypted data (plain text) obtained by a decryption 
process based on a predetermined procedure. Such a 
data encrypting and decrypting method that uses an en- 
cryption key for an information encrypting process while 
using a decryption key for such a decryption process is 
conventionally known. 

[0011] There are various types of aspects of data en- 
crypting and decrypting methods using an encryption 
key and a decryption key; an example is what is called 
a common key cryptosystem. The common key crypto- 
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i encryption key used for a data 



encrypting process and a common decryption key used 
for a data decrypting process and imparts these com- 
mon keys used for the encryption and decryption proc- 
esses, to regular users while excluding data accesses 
by illegal users that have no key. A representative ex- 
ample of this cryptosystem is the DES (Data Encryption 
Standard). 

[0012] The encryption and decryption keys used for 
the encryption and decryption processes are obtained, 
for example, by applying a one-way function such as a 
hash function based on a password orthe like. The one- 
way function makes it difficult to determine its input from 
its output. For example, a password decided by a user 
is used as an input to apply a one-way function so as to 
generate an encryption and a decryption keys based on 
an output from the function. Determining from the thus 
obtained encryption and decryption keys, the password, 
which is the original data for the keys : is substantially 
impossible. 

[0013] In addition, a method called a "public key cryp- 
tosystem" uses different algorithms for a process based 
on an encryption key used for encryption and for a proc- 
ess based on a decryption key used for decryption. The 
public key cryptosystem uses a public key available to 
unspecified users so that an encrypted document for a 
particular individual is decrypted using a public key is- 
sued by this particular user. The document encrypted 
with the public key can only be decrypted with a secret 
key corresponding to the public key used for the decryp- 
tion process. Since the secret key is owned by the indi- 
vidual that has issued the public key, the document en- 
crypted with the public key can be decrypted only by in- 
dividuals having the secret key. A representative public 
key cryptosystem is the RSA (Rivest-Shamir-Adleman) 
encryption. 

[0014] The use of such a cryptosystem enables en- 
crypted contents to be decrypted only for regular users. 
A conventional content distributing configuration em- 
ploying such a cryptosystem will be described in brief 
with reference to Fig. 1 . 

[0015] Fig. 1 shows an example of a configuration in 



which a reproduction means 1 0 such as a PC (Personal 
Computer) or a game apparatus reproduces a program, 
sound or video data, or the like (content) obtained from 
a data providing means such as a DVD, a CD 30, orthe 
s Internet 40 and wherein data obtained from the DVD, 
CD 30, Internet 40, or the like are stored in a storage 
means 20 such as a floppy disk, a memory card, a hard 
disk : orthe like. 

[0016] The content such as a program or sound or vid- 
10 eo data are provided to a user having the reproduction 
means 1 0. A regular user obtains an encryption data as 
well as key data that are their encryption and decryption 
keys. 

[0017] The reproduction means 10 has a CPU 12 to 
15 reproduce input data by means of a reproduction proc- 
ess section 1 4. The reproduction process section 1 4 de- 

/-»n/r\tc onnn/nf<»rl data to rpnrnHur.fi a nrnvirtari nrnnram 
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and the content such as sound or image data. 

[0018] The regular user saves the content such as the 

20 program and data to a storage means 20 in order to use 
the provided program again. The reproduction means 
10 has a saving process section 13 for executing this 
content saving process. The saving process section 13 
encrypts and saves the data in order to prevent the data 

25 stored in the storage means 20 from being illegally used. 
[0019] A content encrypting key is used to encrypt the 
content. The saving process section 1 3 uses the content 
encrypting key to encrypt the content and then stores 
the encrypted content in a storage section 21 of thestor- 

30 age means 20 such as a FD (Floppy Disk), a memory 
card, or a hard disk. 

[0020] To obtain and reproduce the stored content 
from the storage means 20, the user obtains encrypted 
data from the storage means 20 and causes the repro- 
35 duction process section 14 of the reproduction means 
10 to execute the decryption process using a content 
decrypting key, that is, the decryption key in order to ob- 
tain and reproduce decrypted data from the encrypted 
data. 

40 [0021] According to the conventional example of con- 
figuration shown in Fig. 1 , the stored content is encrypt- 
ed in the storage means 20 such as a floppy disk or 
memory card and thus cannot be read externally. When, 
however, this floppy disk is to be reproduced by means 

45 of a reproduction means of another information appara- 
tus such as PC or game apparatus, the reproduction is 
impossible unless the reproduction means has the 
same content key, that is, the same decryption key for 
decrypting the encrypted content. Accordingly, to imple- 

50 ment a form available to a plurality of information appa- 
ratuses, a common decryption key must be provided to 
users. 

[0022] The use of a common content encrypting key, 
however, means that there will be a higher possibility of 
55 disorderly distributing the encryption process key to us- 
ers not having a regular license. Consequently, the ille- 
gal use of the content by users not having the regular 
license cannot be prevented, and it will be difficult to ex- 
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elude the illegal use in PCs, game apparatuses, or the 
like which do not have the regular license. 
[0023] In case that key information leeks from one of 
the apparatuses, the use of common content encrypting 
key and decryption key can cause damage to the whole 5 
system which utilizes the keys 

[0024] Furthermore, in an environment using a com- 
mon key as described above, it is possible to easily 
copy, for example, a content created on a certain PC 
and saved to a storage means such as a memory card 10 
or floppy disk, to another floppy disk. Consequently, a 
use form using the copied floppy disk instead of the orig- 
inal content data will be possible, so that a large number 
of copied content data available to information appara- 
tuses such as game apparatuses or PCs may be creat- *5 
ed or tampered. 

[0025] A method is conventionally used which contain 
a verifying integrity check value in content data for 
checking the validity of the data, that is, whether or not 
the data have been tampered and which then causes a 20 
recording and reproducing device to collate a integrity 
check value generated based on the data to be verified 
with the integrity check value contained in the content 
data to verify the data. 

[0026] The integrity check value for the data contents, 25 
however, is generally generated for the entire data, and 
collating the integrity check value generated for the en- 
tire data requires a integrity check value to be generated 
for the entire data to be checked. If, for example, a in- 
tegrity check value ICV is to be determined using a Mes- 30 
sage Authentication Code (MAC) generated in a 
DES-CBC mode, the DES CBC process must be exe- 
cuted on the entire data. The amount of such calcula- 
tions increases linearly with the data length, thereby dis- 
advantageously reducing processing efficiency. 35 

Description of the Invention 

[0027] The present invention solves above problems 
in a conventional art and is to provide, as a first object, *o 
a data processing apparatus and method and a data 
verifying value imparting method, which efficiently con- 
firm the validity of data and efficiently execute a down- 
load process for a recording device executed after the 
verification, a reproduction process executed after the 45 
verification, and other processes, as well as a program 
providing medium for use in this apparatus and these 
methods. 

[0028] Furthermore, as techniques for limiting the use 
of contents data to authorized users, various kinds of 50 
encryption processing are available such as data en- 
cryption, data decryption, data verification, signature 
processing. However, executing these kinds of encryp- 
tion processing requires common secret information, for 
example, key information applied to encryption and de- 55 
cryption of contents data or an authentication key used 
for authentication to be shared between two apparatus- 
es, that is, apparatuses between which contents data is 



transferred or apparatuses between which authentica- 
tion processing is executed. 

[0029] Therefore, in the case where key data, which 
is shared secret information, is leaked from either of the 
two apparatuses, the contents encryption data using the 
shared key information can also be decrypted by a third 
party who has no license, thus allowing illegal use of 
contents. The same is true for the case where an au- 
thentication key is leaked, which will lead to establish 
authentication for an apparatus with no license. Leak- 
age of keys, therefore, has consequences threatening 
the entire system. 

[0030] The present invention is intended to solve 
these problems. The second object of the invention is 
to provide a data processing apparatus, data processing 
system and data processing method with enhanced se- 
curity in encryption processing. The data processing ap- 
paratus of the present invention does not store individ- 
ual keys necessary to execute encryption processing 
such as data encryption, data decryption, data verifica- 
tion, authentication processing and signature process- 
ing in a storage section, stores master keys to generate 
these individual keys in the storage section instead and 
allows an encryption processing section to generate 
necessary individual keys based on the master keys and 
identification data of the apparatus or data. 
[0031 ] Furthermore, it is possible to maintain a certain 
degree of security by supplying contents data encrypt- 
ed. However, in the case where various encryption keys 
stored in memory are read through illegal reading of 
memory, key data, etc. is leaked and copied on a record- 
er/reproducer without any authorized license, contents 
may be illegally used using the copied key information. 
[0032] It is the third object of the present invention to 
provide a data processing apparatus, data processing 
method and contents data generation method in a con- 
figuration capable of excluding such illegal reproducers, 
that is, a configuration identifying illegal reproducers 
and not allowing the identified reproducers to execute 
processing such as reproduction and downloading of 
contents data. 

[0033] Furthermore, techniques for limiting the use of 
contents data to authorized users include encryption 
processing using predetermined encryption keys, for 
example, signature processing. However, conventional 
encryption processing using signature generally has a 
signature key common to all entities using contents in a 
system and such a signature key allows different appa- 
ratuses to use common contents, which involves a prob- 
lem of leading to illegal copies of contents. 
[0034] It is possible to store contents encrypted using 
a unique password, etc., but the password may be sto- 
len. It is also possible to decrypt a same encrypted con- 
tents data by entering a same password through differ- 
ent reproducers, but it is difficult for a conventional se- 
curity configuration to implement a system that can iden- 
tify a reproducer to allow only the reproducer to use the 
contents. 
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[0035] The present invention has been implemented 
to solve the above problems of the prior arts and it is the 
fourth object of the present invention to provide a data 
processing apparatus and data processing method ca- 
pable of allowing only a specific data processing appa- 5 
ratus to reproduce contents according to contents utili- 
zation restrictions by making it possible to selectively 
use an apparatus-specific key, which is specific to a data 
processing apparatus and a system common key, which 
is common to other data processing apparatuses. 10 
[0036] Furthermore, here is encryption processing of 
content data as a method of limiting utilization of content 
data to authorized users. However, there are various 
kinds of content data such as voice information, image 
information and program data, and there are various '5 
contents in cases such as a case in which all content 
data is required to be encrypted and a case in which a 
part requiring encryption processing and a part not re- 
quiring encryption processing are mixed. 
[0037] Applying encryption processing uniformly to 20 
such various contents may generate unnecessary de- 
cryption processing in reproduction processing of the 
contents, or may generate unfavorable situations in 
terms of processing efficiency and processing speed. 
For example, for data such as music data to which real 25 
time reproduction is essential, it is desirable to have a 
content data structure that can be applied decryption 
processing in high processing speed. 
[0038] The present invention solves such problems. 
It is the fifth object of the present invention to provide a 30 
data processing apparatus, a content data generating 
method and a data processing method that enables to 
apply to a content various data structures corresponding 
to types of content data, i.e., various different data for- 
mats corresponding to the content, and enables gener- 
ation and processing of content data that has high se- 
curity and easy to be utilized in reproduction, execution 
and the like. 

[0039] Furthermore, voice data, image data and the 
like that are decrypted are outputted to AV output sec- 
tion to be reproduced. Nowadays, often times . many of 
contents are compressed and stored in a storage medi- 
um or distributed. It is therefore necessary to expand 
the compressed data before reproducing. For example, 
if voice data is MP-3 compressed, the voice data is de- 
crypted by a MP3 decoder to be output. And if content 
data is image data which is MP-3 compressed, the voice 
data is expanded by a MPEG2 decoder to be output. 
[0040] However, as there are various kinds of com- 
pression processing and expansion processing pro- 
grams, even if compressed data is provided from a con- 
tent provider via a medium or a network, it is impossible 
to reproduce the data with a reproducing apparatus that 
does not have a compatible expansion program. 
[0041] It is the sixth object of the present invention to 
provide a configuration for efficiently executing repro- 
duction processing of compressed data, that is, a data 
processing apparatus, a data processing method and a 



content data generating method for efficiently executing 
reproduction processing in the case in which contents 
are compressed voice data, image data or the like. 
[0042] The foregoing objects and other objects of the 
invention have been achieved by the provision of a data 
processing apparatus and a data processing method. 
[0043] A first aspect of the present invention is: a data 
processing apparatus for processing content data pro- 
vided by a recording or communication medium, char- 
acterized in that said apparatus comprises: a cryptog- 
raphy process section for executing a cryptography 
process on the content data; and a control section for 
executing control for the cryptography process section, 
and the cryptography process section: is configured to 
generate partial integrity check values as integrity check 
values for a partial data set containing one or more par- 
tial data obtained by a content data-constituting section 
into a plurality of parts, collate the generated integrity 
check values to verify the partial data, generates an in- 
termediate integrity check value based on a partial in- 
tegrity check value set data string containing at least one 
or more of the partial integrity check values, and use the 
generated intermediate integrity check value to verify 
the entirety of the plurality of partial data sets corre- 
sponding to the plurality of partial integrity check values 
constituting the partial integrity check value set 
[0044] Further, one embodiment of the data process- 
ing apparatus according to the present is characterized 
in that the partial integrity check value is generated by 
means of a cryptography process with a partial-check- 
value-generating key applied thereto, using partial data 
to be checked, as a message, the intermediate integrity 
check value is generated by means of a cryptography 
process with an general-check-value-generating key 
applied thereto, using a partial integrity check value set 
data string to be checked, as a message, and the cryp- 
tography process section is configured to store the par- 
tial integrity check value-generating value and the gen- 
eral integrity check value-generating key. 
[0045] Further, one embodiment of the data process- 
ing apparatus according to the present invention is char- 
acterized in that the cryptography process has plural 
types of partial-check-value-generating key corre- 
sponding to generated partial integrity check values. 
[0046] Further, one embodiment of the data process- 
ing apparatus according to the present invention is char- 
acterized in that the cryptography process is a DES 
cryptography process, and the cryptography process 
section is configured to execute the DES cryptography 
process. 

[0047] Further, one embodiment of the data process- 
ing apparatus according to the present invention is char- 
acterized in that the partial integrity check value is a 
message authentication code (MAC) generated in a 
DES-CBC mode using partial data to be checked, as a 
message, the intermediate value is a message authen- 
tication code (MAC) generated in a DES-CBC mode us- 
ing a partial integrity check value set data string to be 
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checked, as a message, and the cryptography process 
section is configured to execute the cryptography proc- 
ess in the DES-CBS mode. 

[0048] Further, one embodiment of the data process- 
ing apparatus according to the present invention is char- 
acterized in that in the DES-CBC mode-based cryptog- 
raphy process configuration of the cryptography proc- 
ess section, Triple DES is applied only in part of a mes- 
sage string to be processed. 

[0049] Further, one embodiment of the data process- 
ing apparatus according to the present invention is char- 
acterized in that the data processing apparatus has a 
signature key, and the cryptography process section is 
configured to apply a value generated from the interme- 
diate value by means of the signature key-applied cryp- 
tography process as a collation value for data verifica- 
tion. 

[0050] Further, one embodiment of the data process- 
ing apparatus according to the present invention is char- 
acterized in that the data processing apparatus has a 
plurality of different signature keys as signature keys, 
and the cryptography process section is configured to 
apply one of the plurality of different signature keys 
which is selected depending on a localization of the con- 
tent data, to the cryptography process for the interme- 
diate integrity check value to obtain the collation value 
for data verification. 

[0051] Further, one embodiment of the data process- 
ing apparatus according to the present invention is char- 
acterized in that the data processing apparatus has a 
common signature key common to all entities of a sys- 
tem for executing a data verifying process and an appa- 
ratus-specific signature key specific to each apparatus 
that executes a data verifying process. 
[0052] Further, one embodiment of the data process- 
ing apparatus according to the present invention is char- 
acterized in that the partial integrity check value con- 
tains one or more header section integrity check values 
generated for intra-header-section data partly constitut- 
ing data and one or more content integrity check values 
generated for content block data partly constituting the 
data, and the cryptography process is configured to gen- 
erate one or more header section integrity check values 
for a partial data set in the intra-header-section data to 
execute a collation process, generate one or more con- 
tent integrity check values for a partial data set in the 
intra-content-section data to execute a collation proc- 
ess, andfurther generate a general integrity check value 
based on all the header section integrity check values 
and the content integrity check values generated, to ex- 
ecute a collation process in order to verify the data. 
[0053] Further, one embodiment of the data process- 
ing apparatus according to the present invention is char- 
acterized in that the partial integrity check value con- 
tains one or more header section integrity check values 
generated for intra-header-section data partly constitut- 
ing data, and the cryptography process is configured to 
generate one or more headersection integrity check val- 



ues for a partial data set in the intra-header-section data 
to execute a collation process and further generate a 
general integrity check value based on the one or more 
header section integrity check values generated and on 

5 content block data constituting part of the data, to exe- 
cute a collation process in order to verify the data. 
[0054] Further, one embodiment of the data process- 
ing apparatus according to the present invention is char- 
acterized by further comprising a recording device for 

10 storing data validated by the cryptography process sec- 
tion. 

[0055] Further, one embodiment of the data process- 
ing apparatus according to the present invention is char- 
acterized in that the control section is configured so that 
is if in the process executed by the cryptography process 
section to collate the partial integrity check value, the 
collation is not established, and the control section sus- 
pends the process for storing data in the recording de- 
vice. 

20 [0056] Further, one embodiment of the data process- 
ing apparatus according to the present invention is char- 
acterized by further comprising a reproduction process 
section for reproducing data validated by the cryptogra- 
phy process section. 

25 [0057] Further, one embodiment of the data process- 
ing apparatus according to the present invention is char- 
acterized in that if in the process executed by the cryp- 
tography process section to collate the partial integrity 
check value, the collation is not established, and the 

30 control section suspends the reproduction process in 
the reproduction process section. 
[0058] Further, one embodiment of the data process- 
ing apparatus according to the present invention is char- 
acterized by comprising control means for collating only 

35 the headersection integrity check values in the data dur- 
ing the process executed by the cryptography process 
section to collate the partial integrity check values and 
transmitting data for which collation of the header sec- 
tion integrity check values has been established, to the 

40 reproduction process section for reproduction. 

[0059] Moreover, a second aspect of the present in- 
vention is a data processing apparatus for processing 
content data provided by a recording or communication 
medium, characterized in that said apparatus compris- 
es es: a cryptography process section for executing a cryp- 
tography process on the content data; and a control sec- 
tion for executing control for the cryptography process 
section, and the cryptography process section: is con- 
figured to generate, if data to be verified are encrypted, 

so integrity check values for the data to be verified by 
means of a signature data-applied cryptography proc- 
ess from data on arithmetic operation results obtained 
by executing an arithmetic operation process on de- 
crypted data obtained by executing a decryption proc- 

55 ess on the encrypted data. 

[0060] Further, one embodiment of the data process- 
ing apparatus according to the present invention is char- 
acterized in that the arithmetic operation process com- 
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prises performing an exclusive-OR operation on de- 
crypted data every predetermined bytes, the decrypted 
data being obtained by decrypting the encrypted data. 
[0061] Moreover, a third embodiment of the present 
invention is a data processing method for processing 
content data provided by a recording or communication 
medium, the method being characterized in that said 
method: generates partial integrity check values as in- 
tegrity check values for a partial data set containing one 
or more partial data obtained by a content data consti- 
tuting section into a plurality of parts, and collates the 
generated integrity check values to verify the partial da- 
ta, and generates an intermediate integrity check value 
based on a partial integrity check value set data string 
containing at least one or more of the partial integrity 
check values, and uses the generated intermediate in- 
tegrity check value to verify the entirety of the plurality 
of partial data sets corresponding to the plurality of par- 
tial integrity check values constituting the partial integ- 
rity check value set. 

[0062] Further, one embodiment of the data process- 
ing method according to the present invention is char- 
acterized in that the partial integrity check value is gen- 
erated by means of a cryptography process with a par- 
tial-check-value-generating key applied thereto, using 
partial data to be checked, as a message, and the inter- 
mediate integrity check value is generated by means of 
a cryptography process with an general-check-value- 
generating key applied thereto, using a partial integrity 
check value set data string to be checked, as a mes- 
sage. 

[0063] Further, one embodiment of the data process- 
ing method according to the present invention is char- 
acterized in that the partial integrity check value is gen- 
erated by applying different types of partial-check-val- 
ue-generating keys corresponding to generated partial 
integrity check values. 

[0064] Further, one embodiment of the data process- 
ing method according to the present invention is char- 
acterized in that the cryptography process is a DES 
cryptography process. 

[0065] Further, one embodiment of the data process- 
ing method according to the present invention is char- 
acterized in that the partial integrity check value is a 
message authentication code (MAC) generated in a 
DES-CBC mode using partial data to be checked, as a 
message, and the intermediate value is a message au- 
thentication code (MAC) generated in a DES-CBC 
mode using a partial integrity check value set data string 
to be checked, as a message. 

[0066] Further, one embodiment of the data process- 
ing method according to the present invention is char- 
acterized in that a value generated from the intermedi- 
ate value by means of a signature key-applied cryptog- 
raphy process is applied as a collation value for data 
verification. 

[0067] Further, one embodiment of the data process- 
ing method according to the present invention is char- 
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acterized in that different signature keys are applied to 
the cryptography process for the intermediate integrity 
check value depending on a localization of the content 
data, to obtain the collation value for data verification. 
5 [0068] Further, one embodiment of the data process- 
ing method according to the present invention is char- 
acterized in that a common signature key common to all 
entities of a system for executing a data verifying proc- 
ess or an apparatus-specific signature key specific to 
w each apparatus that executes a data verifying process 
is selected and used as the signature key depending on 
the localization of the content data. 
[0069] Further, one embodiment of the data process- 
ing method according to the present invention is char- 
ts acterized in that the partial integrity check value con- 
tains one or more header section integrity check values 
generated for intra-header-section data partly constitut- 
ing data and one or more content integrity check values 
generated for intra-content-section data partly constitut- 
20 ing the data, and a data verifying process generates one 
or more header section integrity check values for a par- 
tial data set in the intra-header-section data to execute 
a collation process; generates one or more content in- 
tegrity check values for a partial data set in the intra- 
25 content-section data to execute a collation process; and 
further generates a general integrity check value based 
on all the header section integrity check values and the 
content integrity check values generated, to execute a 
collation process in order to verify the data. 
30 [0070] Further one embodiment of the data process- 
ing method according to the present invention is char- 
acterized in that the partial integrity check value con- 
tains one or more header section integrity check values 
generated for intra-header-section data partly constitut- 
35 ing data, the data verifying process comprises generat- 
ing one or more header section integrity check values 
for a partial data set in the intra-header-section data to 
execute a collation process; and further generating a 
general integrity check value based on the one or more 
40 header section integrity check values generated and on 
content block data constituting part of the data, to exe- 
cute a collation process in order to verify the data. 
[0071 ] Further, one embodiment of the data process- 
ing method according to the present invention is char- 
ts acterized by further comprising a process for storing, af- 
ter data verification, storing validated data. 
[0072] Further, one embodiment of the data process- 
ing method according to the present invention is char- 
acterized in that if in the process for collating the partial 
so integrity check value, the collation is not established, 
control is executed such as to suspend the process for 
storing data in the recording device. 
[0073] Further, one embodiment of the data process- 
ing method according to the present invention is char- 
55 acterized by further comprising a data reproduction 
process for reproducing data after the data verification. 
[0074] Further, one embodiment of the data process- 
ing method according to the present invention is char- 
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acterized in that if in the process for collating the partial 
integrity check value, the collation is not established, 
control is executed such as to suspend the reproduction 
process executed in the reproduction process section. 
[0075] Further, one embodiment of the data process- 5 
ing method according to the present invention is char- 
acterized in that said method collates only the header 
section integrity check values in the data during the 
process for collating the partial integrity check values 
and transmits data for which collation of the header sec- 
tion integrity check values has been established, to the 
reproduction process section for reproduction. 
[0076] Moreover, a fourth aspect of the present inven- 
tion is a data processing method for processing content 
data provided by a recording or communication medi- 
um, the method being characterized in that said method: 
if data to be verified are encrypted, executes an arith- 
metic operation process on decrypted data obtained by 
decrypting the encrypted data, executes a signature 
key-applied cryptography process on data on arithmetic 
operation results obtained by the arithmetic operation, 
to generate integrity check values for the data to be ver- 
ified. 

[0077] Further, one embodiment of the data process- 
ing method according to the present invention is char- 
acterized in that the arithmetic operation process com- 
prises performing an exclush/e-OR operation on de- 
crypted data every predetermined bytes, the decrypted 
data being obtained by decrypting the encrypted data. 
[0078] Moreover, a fifth aspect of the present inven- 
tion is a data verifying value imparting method for a data 
verifying process, characterized in that said method: im- 
parts partial integrity check values as integrity check val- 
ues for a partial data set containing one or more partial 
data obtained by a content data constituting section into 
a plurality of parts, and imparts to data to verified, an 
intermediate integrity check value used to verify a partial 
integrity check value set data string containing at least 
one or more of the partial integrity check values. 
[0079] Further, one embodiment of the data verifying 
value imparting method according to the present inven- 
tion is characterized in that the partial integrity check 
value is generated by means of a cryptography process 
with a partial-check-value-generating key applied there- 
to, using partial data to be checked, as a message, and 
the intermediate integrity check value is generated by 
means of a cryptography process with an general- 
check-value-generating key applied thereto, using a 
partial integrity check value set data string to be 
checked, as a message. 

[0080] * Further, one embodiment of the data verifying 
value imparting method according to the present inven- 
tion is characterized in that the partial integrity check 
value is generated by applying different types of partial- 
check-value-generating keys corresponding to generat- 
ed partial integrity check values. 

[0081] Further, one embodiment of the data verifying 
value imparting method according to the present inven- 



tion is characterized in that the cryptography process is 
a DES cryptography process. 

[0082] Further, one embodiment of the data verifying 
value imparting method according to the present inven- 
tion is characterized in that the partial integrity check 
value is a message authentication code (MAC) gener- 
ated in a DES-CBC mode using partial data to be 
checked, as a message, and the intermediate value is 
a message authentication code (MAC) generated in a 
DES-CBC mode using a partial integrity check value set 
data string to be checked, as a message. 
[0083] Further, one embodiment of the data verifying 
value imparting method according to the present inven- 
tion is characterized in that a value generated from the 
intermediate value by means of a signature key-applied 
cryptography process is applied as a collation value for 
data verification. 

[0084] Further, one embodiment of the data verifying 
value imparting method according to the present inven- 
tion is characterized in that different signature keys are 
applied to the cryptography process for the intermediate 
integrity check value depending on a localization of the 
content data, to obtain the collation value for data veri- 
fication. 

[0085] Further, one embodiment of the data verifying 
value imparting method according to the present inven- 
tion is characterized in that a common signature key 
common to all entities of a system for executing a data 
verifying process or an apparatus-specific signature key 
specific to each apparatus that executes a data verifying 
process is selected and used as the signature key de- 
pending on the localization of the content data. 
[0086] Further, one embodiment of the data verifying 
value imparting method according to the present inven- 
tion is characterized in that the partial integrity check 
value contains one or more header section integrity 
check values for in intra-header-section data partly con- 
stituting data and one or more content integrity check 
values for intra-content-section data partly constituting 
the data, and the method is set so that a general integrity 
check value is generated for all the header section in- 
tegrity check values and the content integrity check val- 
ues, to verify the data. 

[0087] Further, one embodiment of the data verifying 
value imparting method according to the present inven- 
tion is characterized in that the partial integrity check 
value contains one or more header section integrity 
check values for intra-header-section data partly consti- 
tuting data, and the method is set so that a general in- 
tegrity check value is generated for the one or more 
header section integrity check values and content block 
data partly constituting the data, to verify the data. 
[0088] Moreover, a sixth aspect of the present inven- 
tion is a program providing medium for providing a com- 
puter program for causing a data verifying process to be 
executed on a computer system to verify that data are 
valid, the program providing medium being character- 
ized in that the computer program comprises steps of: 
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executing a collation process using partial integrity 
check values generated as integrity check values for a 
partial data set containing one or more partial data ob- 
tained by dividing data a plurality of parts, and using an 
intermediate integrity check value based on a partial in- 
tegrity check value set obtained by combining a plurality 
of the partial integrity check values together, to verify 
the entirety of a plurality of partial data sets correspond- 
ing to the plurality of partial integrity check values con- 
stituting the partial integrity check value set. 
[0089] A seventh aspect of the present invention is a 
data processing apparatus including encryption 
processing section that executes one encryption 
processing of at least one of data encryption, data de- 
cryption, data verification, authentication processing 
and signature processing and a storage section that 
stores master keys to generate keys used for the en- 
cryption processing, characterized in that the encryption 
processing section is configured to generate individual 
keys necessary to execute the encryption processing 
based on the master keys and identification data of the 
apparatus or data subject to encryption processing. 
[0090] According to another embodiment of the data 
processing apparatus of the present invention, the data 
processing apparatus is a data processing apparatus 
that performs encryption processing on transfer data via 
a recoding medium or communication medium, charac- 
terized in that the storage section stores a distribution 
key generation master key MKdis for generating a dis- 
tribution key Kdis used for encryption processing of the 
transfer data and the encryption processing section ex- 
ecutes encryption processing based on the distribution 
key generation master key MKdis stored in the storage 
section and a data identifier, which is identification data 
of the transfer data and generates the transfer data dis- 
tribution key Kdis. 

[0091] Furthermore, according to another embodi- 
ment of the data processing apparatus of the present 
invention, the data processing apparatus is a data 
processing apparatus that performs authentication 
processing of an externally connected apparatus to/ 
from which data is transferred, characterized in that the 
storage section stores an authentication key generation 
master key MKake for generating an authentication key 
Kake of the externally connected apparatus and the en- 
cryption processing section executes encryption 
processing based on the authentication key generation 
master key MKake stored in the storage section and an 
identifier of the externally connected apparatus, which 
is identification data of the externally connected appa- 
ratus and generates the authentication key Kake of the 
externally connected apparatus. 

[0092] Furthermore, according to another embodi- 
ment of the data processing apparatus of the present 
invention, the data processing apparatus is a data 
processing apparatus that performs signature process- 
ing on data, characterized in that the storage section 
stores a signature key generation master key MKdevfor 



generating a data processing apparatus signature key 
Kdev of the data processing apparatus and the encryp- 
tion processing section executes encryption processing 
based on the signature key generation master key MK- 

5 dev stored in the storage section and an identifier of the 
data processing apparatus, which is identification data 
of the data processing apparatus and generates the da- 
ta processing apparatus signature key Kdev of the data 
processing apparatus. 

10 [0093] Furthermore, according to another embodi- 
ment of the data processing apparatus of the present 
invention, individual key generation processing that 
generates an individual key necessary to execute en- 
cryption processing based on the master key and iden- 

15 tif ication data of the apparatus or data subject to encryp- 
tion processing is encryption processing that uses at 
ieast part of identification data of the apparatus or data 
subject to encryption processing as a message and ap- 
plies the master key as the encryption key. 

20 [0094] Furthermore, according to another embodi- 
ment of the data processing apparatus of the present 
invention, the encryption processing is encryption 
processing using a DES algorithm. 
[0095] Furthermore, an eighth aspect of the present 

25 invention is a data processing system configured by a 
plurality of data processing apparatuses, characterized 
in that each of the plurality of data processing appara- 
tuses has a common master key to generate a key used 
for encryption processing of at least one of data encryp- 

30 tion, data decryption data verification, authentication 
processing and signature processing and each of the 
plurality of data processing apparatuses generates a 
common individual key necessary to execute the en- 
cryption processing based on the master key and iden- 

35 tif ication data of the apparatus or data subject to encryp- 
tion processing. 

[0096] Furthermore, according to another embodi- 
ment of the data processing system of the present in- 
vention, the plurality of data processing apparatuses is 

40 configured by a contents data providing apparatus that 
supplies contents data and a contents data utilization 
apparatus that utilizes the contents data, both the con- 
tents data providing apparatus and contents data utili- 
zation apparatus have a distribution key generation 

45 master key to generate a contents data distribution key 
used for encryption processing of circulation contents 
data between the contents data providing apparatus 
and contents data utilization apparatus, the contents da- 
ta providing apparatus generates a contents data distri- 

50 bution key based on the distribution key generation 
master key and contents identifier, which is an identifier 
of supplied contents data and executes encryption 
processing on the contents data, and the contents data 
utilization apparatus generates a contents data distribu- 

55 tion key based on the distribution key generation master 
key and contents identifier, which is an identifier of sup- 
plied contents data and executes decryption processing 
on the contents data. 
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[0097] Furthermore, according to another embodi- 
ment of the data processing system of the present in- 
vention, the contents data providing apparatus has a 
plurality of different distribution key generation master 
keys to generate a plurality of different contents data dis- 
tribution keys, generates a plurality of different contents 
data distribution keys based on the plurality of distribu- 
tion key generation master keys and the contents iden- 
tifier, executes encryption processing using the plurality 
of distribution keys generated and generates encryption 
contents data of a plurality of types, and the contents 
data utilization apparatus has at least one distribution 
key generation master key of the plurality of different dis- 
tribution key generation master keys owned by the con- 
tents data providing apparatus and makes decodable 
only encryption contents data by a distribution key gen- 
erated using the same distribution key generation mas- 
ter key as the distribution key generation master key 
owned by the own apparatus. 

[0098] Furthermore, according to another embodi- 
ment of the data processing system of the present in- 
vention, each of said plurality of data processing appa- 
ratuses stores a same contents key generation master 
key to generate a contents key applied to contents data 
encryption processing, data processing apparatus A, 
which is one of the plurality of data processing appara- 
tuses, stores contents data encrypted by a contents key 
generated based on the contents key generation master 
key and the apparatus identifier of the data processing 
apparatus A in a storage medium, different data 
processing apparatus B generates a contents key 
based on the same contents key generation master key 
and the apparatus identifier of the data processing ap- 
paratus A and executes decryption processing on the 
encrypted contents data stored by said data processing 
apparatus A in said storage medium based on said con- 
tents key generated. 

[0099] Furthermore, according to another embodi- 
ment of the data processing system of the present in- 
vention, the plurality of data processing apparatuses is 
configured by a host device and a slave device subject 
to authentication processing by the host device, both the 
host device and slave device have an authentication key 
generation master applied to authentication processing 
between the host device and slave device, the slave de- 
vice generates an authentication key based on the au- 
thentication key generation master key and slave device 
identifier, which is the identifier of the slave device and 
stores in memory in the slave device, and the host de- 
vice generates an authentication key based on the au- 
thentication key generation master key and slave device 
identifier, which is the identifier of the slave device and 
executes authentication processing. 
[0100] Furthermore, a ninth aspect of the present in- 
vention is a data processing method that executes en- 
cryption processing of at least one of data encryption, 
data decryption, data verification, authentication 
processing and signature processing, including a key 



generating step of generating individual keys necessary 
to execute the encryption processing based on master 
keys to generate the keys used for the encryption 
processing and identification data of the apparatus or 

5 data subject to encryption processing and an encryption 
processing step of executing encryption processing 
based on the key generated in the key generating step. 
[0101] Furthermore, according to another embodi- 
ment of the data processing method of the present in- 
fo vention, data processing executed by the data process- 
ing method is encryption processing on transfer data via 
a storage medium or communication medium, the key 
generating step is a distribution key generating step of 
executing encryption processing based on a distribution 

15 key generation master key MKdis for generating a dis- 
tribution key Kdis used for encryption processing of 
transfer data and a data identifier, which is identification 
data of the transfer data, and generating distribution key 
Kdis of the transfer data, and the encryption processing 

20 step is a step of executing encryption processing on 
transfer data based on the distribution key Kdis gener- 
ated in the distribution key generating step. 
[0102] Furthermore, according to another embodi- 
ment of the data processing method of the present in- 

25 vention, the data processing executed by the data 
processing method is authentication processing of an 
externally connected apparatus to/from which data is 
transferred, the key generating step is an authentication 
key generating step of executing encryption processing 

30 based on an authentication key generation master key 
MKake for generating an authentication key Kake of the 
externally connected apparatus and an externally con- 
nected apparatus identifier, which is identification data 
of the externally connected apparatus, and generating 

35 the authentication key Kake of the externally connected 
apparatus, and the encryption processing step is a step 
of executing authentication processing of the externally 
connected apparatus based on the authentication key 
Kake generated in the authentication key generation 

40 step. 

[0103] Furthermore, according to another embodi- 
ment of the data processing method of the present in- 
vention, data processing executed by the data process- 
ing apparatus is signature processing on data, the key 

45 generating step is a signature key generating step of ex- 
ecuting encryption processing based on a signature key 
generation master key MKdev for generating a data 
processing apparatus signature key Kdev of the data 
processing apparatus and a data processing apparatus 

50 identifier, which is identification data of the data 
processing apparatus and generating the data process- 
ing apparatus signature key Kdev of the data processing 
apparatus, and the encryption processing step is a step 
of executing signature processing on data based on the 

55 signature key Kdev generated in the signature key gen- 
erating step. 

[0104] Furthermore, according to another embodi- 
ment of the data processing method of the present in- 
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vent ion, the key generating step is encryption process- 
ing that uses at least part of data identification of the 
apparatus or data subject to encryption processing as 
a message and applies the master key as the encryption 
key. 

[0105] Furthermore, according to another embodi- 
ment of the data processing method of the present in- 
vention, the encryption processing is encryption 
processing using a DES algorithm. 
[0106] Furthermore, a tenth aspect of the present in- 
vention is a data processing method in a data process- 
ing system comprising a contents data providing appa- 
ratus that supplies contents data and a contents data 
utilization apparatus that utilizes the contents data, 
characterized in that the contents data providing appa- 
ratus generates a contents data distribution key based 
on a distribution key generation master key for generat- 
ing a contents data distribution key used for encryption 
processing on contents data and a contents identifier, 
which is the identifier of the provided contents data and 
executes encryption processing on the contents data, 
and the contents data utilization apparatus generates a 
contents data distribution key based on the distribution 
key generation master key and a contents identifier, 
which is the identifier of the provided contents data and 
executes decryption processing on the contents data. 
[0107] Furthermore, according to another embodi- 
ment of the data processing method according to the 
present invention, the contents data providing appara- 
tus has a plurality of different distribution key generation 
master keys to generate a plurality of different contents 
data distribution keys, generates a plurality of different 
contents data distribution keys based on the plurality of 
distribution key generation master keys and the con- 
tents identifier, executes encryption processing using 
the plurality of distribution keys generated and gener- 
ates encryption contents data of a plurality of types, and 
the contents data utilization apparatus has at least one 
distribution key generation master key of the plurality of 
different distribution key generation master keys owned 
by the contents data providing apparatus and decrypts 
only encryption contents data by a distribution key gen- 
erated using the same distribution key generation mas- 
ter key as the distribution key generation master key 
owned by the own apparatus. 

[0108] Furthermore, an eleventh aspect of the 
present invention is a data processing method in a data 
processing system comprising a step of storing, by data 
processing apparatus A, which is one of the plurality of 
data processing apparatuses, in a storage medium con- 
tents data encrypted using a contents key generated 
based on a contents key generation master key to gen- 
erate a contents key used for encryption processing of 
contents data and the apparatus identifier of the data 
processing apparatus A, a step of generating the same 
contents key as the contents key by different data 
processing apparatus B based on the same the contents 
key generation master key as that of the data processing 



apparatus A and the apparatus identifier of the data 
processing apparatus A, and a step of decrypting the 
contents data stored in the storage medium using the 
contents key generated by said data processing appa- 
5 ratus B. 

[01 09] Furthermore, a twelfth aspect of the present in- 
vention is a data processing method in a data process- 
ing system comprising a host device, and a slave device 
subject to authentication processing by the host device, 

10 characterized in that the slave device generates an au- 
thentication key based on an authentication key gener- 
ation master key to generate an authentication key used 
for authentication processing between the host device 
and slave device and a slave device identifier, which is 

15 the identifier of the slave device and stores the authen- 
tication key generated in memory in said slave device, 
and the host device generates an authentication key 
based on the authentication key generation master key 
and slave device identifier, which is the identifier of the 

20 siave device and executes authentication processing. 
[01 1 0] Furthermore, a thirteenth aspect of the present 
invention is a program providing medium that supplies 
a computer program to execute encryption processing 
of at least one of data encryption, data decryption, data 

25 verification, authentication processing and signature 
processing, on a computer system, the computer pro- 
gram comprising a key generating step of generating in- 
dividual keys necessary to execute the encryption 
processing based on the master key to generate the key 

30 used forthe encryption processing and identification da- 
ta of the apparatus or data subject to encryption 
processing, and an encryption processing step of exe- 
cuting encryption processing based on the keys gener- 
ated in the key generating step.. 

35 [0111] A fourteenth aspect of the present invention is 
a data processing apparatus that processes contents 
data supplied from a storage medium or communication 
medium, characterized by comprising a storage section 
that stores data processing apparatus identifiers, a list 

40 verification section that extracts an illegal device list in- 
cluded in the contents data and executes collation be- 
tween entries of the list and the data processing appa- 
ratus identifiers stored in the storage section, and a con- 
trol section that stops executing processing of at least 

45 either one of reproduction of the contents data or 
processing of storage in a recording device when the 
result of the collation processing in the collation 
processing section shows that the illegal device list in- 
cludes information that matches the data processing 

50 identifiers. 

[0112] According to another embodiment of the data 
processing apparatus of the present invention, the list 
verification section comprises an encryption processing 
section that executes encryption processing on thecon- 

55 tents data, and the encryption processing section veri- 
fies the presence or absence of tampering in the illegal 
device list based on check values of the illegal device 
list included in the contents data and executes the col- 
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lation processing only when the verification proves no 
tampering. 

[0113] Furthermore, another embodiment of the data 
processing apparatus of the present invention further 
comprises an illegal device list check value generation 
key, characterized in that the encryption processing sec- 
tion executes encryption processing applying the illegal 
device list check value generation key to illegal device 
list configuration data to be verified, generates illegal 
device list check values, executes collation between the 
illegal device list check values and the illegal device list 
check values included in the contents data and thereby 
verifies the presence or absence of tampering in the il- 
legal device list. 

[0114] Furthermore, according to another embodi- 
ment of the data processing apparatus of the present 
invention, the list verification section comprises an en- 
cryption processing section that executes encryption 
processing on the contents data, the encryption 
processing section executes decryption processing of 
the encrypted illegal device list included in the contents 
data and executes the collation processing on the illegal 
device list resulting from the decryption processing. 
[0115] Furthermore, according to another embodi- 
ment of the data processing apparatus of the present 
invention, the list verification section comprises an en- 
cryption processing section that executes mutual au- 
thentication processing with a recording device to/from 
which contents data is transferred, the list verification 
section extracts the illegal device list included in the con- 
tents data and executes collation with the data process- 
ing apparatus identifiers stored in the storage section 
on condition that authentication with the recording de- 
vice has been established through mutual authentica- 
tion processing executed by the encryption processing 
section. 

[0116] A fifteenth aspect of the present invention is a 
data processing method that processes contents data 
supplied from a storage medium or communication me- 
dium, comprising a list extracting step of extracting an 
illegal device list included in the content data, a collation 
processing step of executing collation between entries 
included in the list extracted in the list extracting step 
and the data processing apparatus identifiers stored in 
a storage section in the data processing apparatus, and 
a step of stopping execution of processing of at 
least either one of reproduction of the contents data or 
processing of storage in the recording device when the 
result of the collation processing in the collation 
processing step shows that the illegal device list in- 
cludes information that matches the data processing 
identifiers. 

[0117] Furthermore, according to another embodi- 
ment of the data processing method of the present in- 
vention, the data processing method further comprises 
a verification step of verifying the presence or absence 
of tampering in the illegal device list based on check val- 
ues of the illegal device list included in the contents data, 



and the collation processing step executes collation 
processing only when the verification step proves no 
tampering. 

[0118] Furthermore, according to another embodi- 

5 ment of the data processing method of the present in- 
vention, the verification step comprises a step of exe- 
cuting encryption processing applying an illegal device 
list check value generation key to illegal device list con- 
figuration data to be verified and generating illegal de- 

w vice list check values, and a step of executing collation 
between the illegal device list check values generated 
and the illegal device list check values included in the 
contents data and thereby verifying the presence or ab- 
sence of tampering in the illegal device list. 

*s [01 19] Furthermore, another embodiment of the data 
processing method of the present invention further com- 
prises a decrypting step of executing decrypting 
processing on the encrypted illegal device list included 
in the contents data and the collation processing step 

20 executes the collation processing on the illegal device 
list resulting from the decrypting step. 
[0120] Furthermore, another embodiment of the data 
processing method of the present invention further com- 
prises a mutual authentication processing step of exe- 

25 cuting mutual authentication processing with a record- 
ing device to/from which contents data is transferred, 
and the collation processing step executes collation 
processing on condition that authentication with the re- 
cording device has been established through mutual au- 

30 thentication processing executed by the mutual authen- 
tication processing step. 

[01 21 ] A sixteenth aspect of the present invention is 
a contents data generation method that generates con- 
tents data supplied from a storage medium or commu- 

35 nication medium to a plurality of recorders/reproducers, 
characterized in that an illegal device list whose compo- 
nent data comprises identifiers of recorders/reproduc- 
ers, which will be excluded from the use of the contents 
data is stored as the header information of the contents 

40 data. 

[0122] Furthermore, according to another embodi- 
ment of the contents data generation method of the 
present invention, the illegal device list check values for 
a tampering check of the illegal device list are also 

45 stored as the header information of the contents data. 
[0123] Furthermore, according to another embodi- 
ment of the contents data generation method of the 
present invention, the illegal device list is encrypted and 
stored in the header information of the contents data. 

so [0124] Furthermore, a seventeenth aspect of the 
present invention is a program supply medium that sup- 
plies a computer program that allows a computer sys- 
tem to execute processing of contents data supplied 
from a storage medium or communication medium, 

55 characterized in that the computer program comprises 
a list extracting step of extracting an illegal device list 
included in the contents data, a collation processing 
step of executing collation between entries included in 
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the list extracted in the list extracting step and the data 
processing apparatus identifiers stored in a storage sec- 
tion in the data processing apparatus, and a step of stop- 
ping execution of processing of either one of reproduc- 
tion of the contents data or processing of storage in a 
recording device when the result of the collation 
processing in the collation processing step shows that 
the illegal device list includes information that matches 
the data processing identifiers. 

[0125] An eighteenth aspect of the present invention 
is a data processing apparatus that processes contents 
data supplied via a recording medium or communication 
medium, comprising an encryption processing section 
that executes encryption processing on the contents da- 
ta, a control section that executes control over the en- 
cryption processing section, a system common key 
used for encryption processing In the encryption 
processing section, which is common to other data 
processing apparatuses using the contents data, and at 
least one of an apparatus-specific key, which is specific 
to the data processing apparatus used for encryption 
processing in the encryption processing section or an 
apparatus-specific identifier to generate the apparatus- 
specific key, characterized in that the encryption 
processing section is configured to perform encryption 
processing by applying either one of the system com- 
mon key or the apparatus-specific key according to the 
utilization mode of the contents data. 
[01 26] Furthermore, in another embodiment of the da- 
ta processing apparatus of the present invention, the en- 
cryption processing section executes encryption 
processing by applying either one of the system com- 
mon key or the apparatus-specific key according to uti- 
lization restriction information included in the contents 
data. 

[0127] Furthermore, another embodiment of the data 
processing apparatus of the present invention further 
comprises a recording device for recording contents da- 
ta, characterized in that the encryption processing sec- 
tion, when imposed with a utilization restriction that the 
contents data should be used only for the own data 
processing apparatus, generates data to be stored in 
the recording device by executing encryption process- 
ing using the apparatus-specific key for the contents da- 
ta, and in the case where the contents data is also made 
available to an apparatus other than the own data 
processing apparatus, data to be stored in the recording 
device is generated by executing encryption processing 
using the system common key on the contents data. 
[0128] Furthermore, another embodiment of the data 
processing apparatus of the present invention compris- 
es a signature key Kdev specific to the data processing 
apparatus and a system signature key Ksys common to 
a plurality of data processing apparatuses, character- 
ized in that the encryption processing section, when the 
contents data is stored in the recording device imposed 
with a utilization restriction that the contents data should 
be used only for the own data processing apparatus, 



generates an apparatus -specific check value through 
encryption processing applying the apparatus-specific 
signature key Kdev to the contents data and, when the 
contents data is stored in the recording device with the 

5 contents data also made available to an apparatus other 
than the own data processing apparatus, generates an 
overall check value through encryption processing ap- 
plying the system signature key Ksys to the contents da- 
ta, and the control section performs control of storing 

10 either one of the apparatus-specific check value gener- 
ated by the encryption processing section orthe overall 
check value together with the contents data in the re- 
cording device. 

[01 29] Furthermore, another embodiment of the data 
15 processing apparatus of the present invention compris- 
es a signature key Kdev specific to the data processing 
apparatus and a system signature key Ksys common to 
a plurality of data processing apparatuses, character- 
ized in that the encryption processing section, when 
20 contents data imposed with a utilization restriction that 
the contents data should be used only for the own data 
processing apparatus is reproduced, generates an ap- 
paratus-specific check value applying the apparatus- 
specific signature key Kdev to the contents data and ex- 
25 ecutes collation processing on the apparatus-specific 
check value generated and, when contents data also 
made available to an apparatus other than the own data 
processing apparatus is reproduced, generates an 
overall check value through encryption processing ap- 
30 plying the system signature key Ksys to the contents da- 
ta and performs collation processing on the overall 
check value generated, and the control section gener- 
ates reproducible decrypted data by continuing 
processing of contents data by the encryption process- 
es jng section only when collation with the apparatus-spe- 
cific check value is established or when collation with 
the overall check value is established. 
[0130] Furthermore, another embodiment of the data 
processing apparatus of the present invention compris- 
40 es a recording data processing apparatus signature key 
master key MKdev and data processing apparatus iden- 
tifier IDdev, characterized in that the encryption 
processing section generates a signature key Kdev as 
the data processing apparatus specific key through en- 
^5 cryption processing based on the recording data 
processing apparatus signature key master key MKdev 
and the data processing apparatus identifier IDdev. 
[0131] Furthermore, in another embodiment of the da- 
ta processing apparatus of the present invention, the en- 
50 cryption processing section generates the signature key 
Kdev through DES encryption processing applying the 
recording data processing apparatus signature key 
master key MKdev to the data processing apparatus 
identifier IDdev. 
55 [0132] Furthermore, in another embodiment of the da- 
ta processing apparatus of the present invention, the en- 
cryption processing section generates an intermediate 
integrity check value by executing encryption process- 
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ing on the contents data and executes encryption 
processing applying the data processin g apparatus spe- 
cific key or system common key on the intermediate in- 
tegrity check value.. 

[0133] Furthermore, in another embodiment of the da- 5 
taprocessing apparatus of thepresent invention, the en- 
cryption processing section generates a partial integrity 
check value through encryption processing on a partial 
data set containing at least one partial data item ob- 
tained by dividing the contents data into a plurality of 
parts and generates an intermediate integrity check val- 
ue through encryption processing on a partial integrity 
check value set data string containing the partial integ- 
rity check value generated. 

[01 34] A nineteenth aspect of the present invention is 
a data processing method that processes contents data 
supplied via a recording medium or communication me- 
dium, characterized by selecting either one of an en- 
cryption processing system common key common to 
other data processing apparatuses using the contents 
data or an apparatus-specific key, which is specific to 
the data processing apparatus according to the utiliza- 
tion mode of the contents data, and executing encryp- 
tion processing by applying the selected encryption 
processing key to the contents data. 
[0135] Furthermore, another embodiment of the data 
processing method of the present invention is charac- 
terized in that the encryption processing key selecting 
step is a step of selecting according to utilization restric- 
tion information contained in the contents data. 
[0136] Furthermore, another embodiment of the data 
processing method of the present invention is charac- 
terized in that the processing of storing contents data in 
the recording device, when imposed with a utilization re- 
striction that the contents data should be used only for 
the own data processing apparatus, generates data to 
be stored in the recording device by executing encryp- 
tion processing applying the apparatus-specific key to 
the contents data, and in the case where the contents 
data is also made available to an apparatus other than 
the own data processing apparatus, data to be stored 
in the recording device is generated by executing en- 
cryption processing using the system common key on 
the contents data. 

[01371 Furthermore, another embodiment of the data 
processing method of the present invention is charac- 
terized in that when the contents data is stored in the 
recording device imposed with a utilization restriction 
that the contents data should be used only for the own 
data processing apparatus, the processing of recording 
contents data in the recording device generates an ap- 
paratus-specific check value through encryption 
processing applying the apparatus-specific signature 
key Kdev to the contents data and, when the contents 
data is stored in the recording device with the contents 
data also made available to an apparatus other than the 
own data processing apparatus, generates an overall 
check value through encryption processing applying the 



system signature key Ksys to the contents data : and ei- 
ther one of the apparatus-specific check value generat- 
ed or the overall check value is stored together with the 
contents data in the recording device. 
[01 38] Furthermore, another embodiment of the data 
processing method of the present invention is charac- 
terized in that when contents data imposed with a utili- 
zation restriction that the contents data should be used 
only for the own data processing apparatus is repro- 
duced, the contents data reproducing processing gen- 
erates an apparatus-specific check value through en- 
cryption processing applying the apparatus-specific sig- 
nature key Kdev to the contents data and executes col- 
lation processing on the apparatus-specific check value 
generated and, when contents data imposed with a uti- 
lization restriction that the contents data is also made 
available to an apparatus other than the own data 
processing apparatus is reproduced, generates an 
overall check value through encryption processing ap- 
plying the system signature key Ksys to the contents da- 
ta and performs collation processing on the overall 
check value generated, and contents data is reproduced 
only when collation with the apparatus-specific check 
value is established or when collation with the overall 
check value is established. 

[0139] Furthermore, another embodiment of the data 
processing method of the present invention further com- 
prises a step of generating a signature key Kdev as the 
data processing apparatus specific key through encryp- 
tion processing based on data processing apparatus 
signature key master key MKdev and the data process- 
ing apparatus identifier IDdev. 

[01 40] Furthermore, another embodiment of the data 
processing method of the present invention is charac- 
terized in that the signature key Kdev generating step is 
a step of generating the signature key Kdev through 
DES encryption processing applying the data process- 
ing apparatus signature key master key MKdev to the 
data processing apparatus identifier IDdev. 
[0141] Furthermore, another embodiment of the data 
processing method of the present invention further com- 
prises a step of generating an intermediate integrity 
check value by executing encryption processing on the 
contents data, characterized by executing encryption 
processing applying the data processing apparatus spe- 
cific key or system common key to the intermediate in- 
tegrity check value. 

[01 42] Furthermore, another embodiment of the data 
processing method of the present invention is charac- 
terized by further generating a partial integrity check val- 
ue through encryption processing on a partial data set 
containing at least one partial data item obtained by di- 
viding the contents data into a plurality of parts and gen- 
erating an intermediate integrity check value through 
encryption processing on a partial integrity check value 
set data string containing the partial integrity check val- 
ue generated. 

[0143] A twentieth aspect of the present invention is 
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a program supply medium that supplies a computer pro- 
gram allowing a computer system to execute data 
processing that processes contents data supplied via a 
recording medium or communication medium, and the 
computer program comprises the steps of selecting ei- 
ther encryption processing key, an encryption process- 
ing system common key common to other data process- 
ing apparatuses using the contents data or an appara- 
tus-specific key, which is specific to the data processing 
apparatus according to the utilization mode of the con- 
tents data, and executing encryption processing apply- 
ing the selected encryption processing key to the con- 
tents data. 

[0144] A twenty first aspect of the present invention 
is a data processing apparatus that processes contents 
data supplied via a recording medium or communication 
medium, comprising an encryption processing section 
that executes encryption processing on the contents da- 
ta, and a control section that executes control over the 
encryption processing section, characterized in that the 
encryption processing section is configured to generate 
a contents check value in units of contents block data 
to be verified included in the data, execute collation on 
the contents check value generated and thereby exe- 
cute verification processing on the validity of each con- 
tents block data in the data. 

[0145] Furthermore, another embodiment of the data 
processing apparatus of the present invention compris- 
es a contents check value generation key and charac- 
terized in that the encryption processing section gener- 
ates a contents intermediate value based on contents 
block data to be verified and generate a contents check 
value by executing encryption processing applying the 
contents check value generation key to the contents in- 
termediate value. 

[01 46] Furthermore, another embodiment of the data 
processing apparatus of the present invention is char- 
acterized in that when the contents block data to be ver- 
ified is encrypted, the encryption processing section 
generates a contents intermediate value by executing 
predetermined operation processing on an entire de- 
crypted statement obtained through decryption 
processing of the contents block data in units of a pre- 
determined number of bytes, and when the contents 
block data to be verified is not encrypted, generates a 
contents intermediate value by executing predeter- 
mined operation processing on the entire contents block 
data in units of a predetermined number of bytes. 
[01 47] Furthermore, another embodiment of the data 
processing apparatus of the present invention is char- 
acterized in that the predetermined operation process- 
ing applied in the intermediate integrity check value gen- 
eration processing by the encryption processing section 
is an exclusive-OR operation. 

[0148] Furthermore, another embodiment of the data 
processing apparatus of the present invention is char- 
acterized in that the encryption processing section has 
an encryption processing configuration in CBC mode 
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and the decryption processing applied to the content in- 
termediate value generation processing when the con- 
tents block data to be verified is decryption processing 
in CBC mode. 

5 [0149] Furthermore, another embodiment of the data 
processing apparatus of the present invention is char- 
acterized in that the encryption processing configuration 
in CBC mode of the encryption processing section is a 
configuration in which common key encryption process- 

10 ing is applied a plurality of times only to part of a mes- 
sage string to be processed. 

[0150] Furthermore, another embodiment of the data 
processing apparatus of the present invention is char- 
acterized in that when the contents block data contains 
is a plurality of parts and some parts included in the con- 
tents block data are to be verified, the encryption 
processing section generates a contents check value 
based on the parts to be verified, executes collation 
processing on the contents check value generated and 
thereby executes verification processing on the validity 
in units of content block data in the data. 
[0151] Furthermore, another embodiment of the data 
processing apparatus of the present invention is char- 
acterized in that when the contents block data contains 
a plurality of parts and it is one part that needs to be 
verified, the encryption processing section generates a 
contents check value by executing encryption process- 
ing applying the contents check value generation key to 
a value obtained by carrying out an exclusive-OR in 
units of a predetermined number of bytes on the entire 
decrypted statement obtained by decryption processing 
of parts to be verified in the case where the parts to be 
verified is encrypted, and generates a contents check 
value by executing encryption processing applying the 
contents check value generation key to a value obtained 
by carrying out an exclusive-OR in units of a predeter- 
mined number of bytes on the entire part to be verified 
in the case where the parts to be verified is not encrypt- 
ed. 

[0152] Furthermore, another embodiment of the data 
processing apparatus of the present invention is char- 
acterized in that when the contents block data contains 
a plurality of parts and it is a plurality of parts that needs 
to be verified, the encryption processing section uses, 
as a contents check value, the result obtained by exe- 
cuting encryption processing applying the contents 
check value generation key to link data of a parts check 
value obtained by executing encryption processing ap- 
plying a contents check value generation key to each 
part. 

[0153] Furthermore, another embodiment of the data 
processing apparatus of the present invention is char- 
acterized in that the encryption processing section fur- 
ther comprises a recording device for storing contents 
data containing contents block data whose validity has 
been verified. 

[0154] Furthermore, another embodiment of the data 
processing apparatus of the present invention is char- 
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acterized in that when collation is not established in the 
collation processing on a contents check value in the 
encryption processing section, the control section stops 
storage in the recording device. 

[0155] Furthermore, another embodiment of the data 
processing apparatus of the present invention is char- 
acterized in that the encryption processing section fur- 
ther comprises a reproduction processing section for re- 
producing data whose validity has been verified. 
[0156] Furthermore, another embodiment of the data 
processing apparatus of the present invention is char- 
acterized in that when collation is not established in the 
collation processing on a contents check value in the 
encryption processing section, the control section stops 
reproduction processing in the reproduction processing 
section. 

[0157] A twenty second aspect of the present inven- 
tion is a data processing method that processes con- 
tents data supplied via a recording medium or commu- 
nication medium, characterized by generating a con- 
tents check value in units of contents block data to be 
verified included in the data, executing collation on the 
contents check value generated and thereby executing 
verification processing on the validity in units of contents 
block data in the data. 

[0158] Furthermore, another embodiment of the data 
processing method of the present invention is charac- 
terized by generating a contents intermediate value 
based on contents block data to be verified and gener- 
ating a contents check value by executing encryption 
processing applying the contents check value genera- 
tion key to the contents intermediate value generated. 
[0159] Furthermore, another embodiment of the data 
processing method of the present invention is charac- 
terized by generating, when the contents block data to 
be verified is encrypted, a contents intermediate value 
by executing predetermined operation processing on an 
entire decrypted statement obtained through decryption 
processing of the contents block data in units of a pre- 
determined number of bytes, and generating, when the 
contents block data to be verified is not encrypted, a 
contents intermediate value by executing predeter- 
mined operation processing on the entire contents block 
data in units of a predetermined number of bytes. 
[0160] Furthermore, another embodiment of the data 
processing method of the present invention is charac- 
terized in that the predetermined operation processing 
applied in the intermediate integrity check value gener- 
ation processing is an exclusive-OR operation. 
[0161] Furthermore, another embodiment of the data 
processing method of the present invention is charac- 
terized in that in the contents intermediate value gener- 
ation processing, the decryption processing applied to 
the content intermediate value generation processing 
when the contents block data to be verified is encrypted 
is decryption processing in CBC mode. 
[0162] Furthermore, another embodiment of the data 
processing method of the present invention is charac- 



terized in that in the decryption processing configuration 
in CBC mode, common key encryption processing is ap- 
plied a plurality of times only to part of a message string 
to be processed. 

5 [0163] Furthermore, another embodiment of the data 
processing method of the present invention is charac- 
terized by generating, when the contents block data 
contains a plurality of parts and some parts included in 
the contents block data are to be verified, a contents 

10 check value based on the parts to be verified, executing 
collation processing on the contents check value gen- 
erated and thereby executing verification processing on 
the validity in units of content block data in the data. 
[0164] Furthermore, another embodiment of the data 

15 processing method of the present invention is charac- 
terized by generating when the contents block data con- 
tains a plurality of parts and it is one part that needs to 
be verified, a contents check value by executing encryp- 
tion processing applying the contents check value gen- 

20 eration key to a value obtained by carrying out an ex- 
clusive-OR in units of a predetermined number of bytes 
on the entire decrypted statement obtained by decryp- 
tion processing of parts to be verified in the case where 
the parts to be verified is encrypted, and generating a 

25 contents check value by executing encryption process- 
ing applying the contents check value generation key to 
a value obtained by carrying out an exclusive-OR in 
units of a predetermined number of bytes on the entire 
part to be verified in the case where the part to be ver- 

30 rfjed is not encrypted. 

[01 65] Furthermore, another embodiment of the data 
processing method of the present invention is charac- 
terized by using, when the contents block data contains 
a plurality of parts and it is a plurality of parts that needs 

35 to be verified, as a contents check value, the result ob- 
tained by executing encryption processing further ap- 
plying the contents check value generation key to link 
data of a parts check value obtained by executing en- 
cryption processing applying the contents check value 

40 generation key to each part. 

[0166] Furthermore, another embodiment of the data 
processing method of the present invention further com- 
prises a step of storing contents data containing con- 
tents block data whose validity has been verified. 

45 [0167] Furthermore, another embodiment of the data 
processing method of the present invention is charac- 
terized in that when collation is not established in the 
collation processing on a contents check value, the con- 
trol section stops storage in the recording device. 

so [0168] Furthermore, another embodiment of the data 
processing method of the present invention further com- 
prises a step of reproducing data whose validity has 
been verified. 

[0169] Furthermore, another embodiment of the data 
55 processing method of the present invention is charac- 
terized by stopping reproduction processing when col- 
lation is not established in the collation processing on a 
contents check value. 
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[0170] A twenty third aspect of the present invention 
is a contents data verification value assignment method 
for contents data verification processing, characterized 
by generating a contents check value in units of contents 
block data to be verified included in the data, assigning 
the contents check value generated to contents data 
containing the contents block data to be verified. 
[0171] Furthermore, another embodiment of the con- 
tents data verification value assignment method of the 
present invention is characterized in that the contents 
check value is generated through encryption processing 
applying the contents check value generation key using 
the contents block data to be checked as a message. 
[0172] Furthermore, another embodiment of the con- 
tents data verification value assignment method of the 
present invention is characterized in that the contents 
check vaiue is genera ied by generating a contents in- 
termediate value based on the contents block data to 
be verified and executing encryption processing apply- 
ing the contents check value generation key to the con- 
tents intermediate value. 

[0173] Furthermore, another embodiment of the con- 
tents data verification value assignment method of the 
present invention is characterized in that the contents 
check value is generated by executing encryption 
processing in CBC mode on the contents block data to 
be verified. 

[0174] Furthermore, another embodiment of the con- 
tents data verification value assignment method of the 
present invention is characterized in that the encryption 
processing configuration in CBC mode is a configuration 
in which common key encryption processing is applied 
a plurality of times only to part of a message string to be 
processed. 

[0175]..- Furthermore, another embodiment of the con- 
tents data verification value assignment method of the 
present invention is characterized by generating, when 
the contents block data contains a plurality of parts and 
some parts included in the contents block data are to be 
verified, a contents check value based on the parts to 
be verified and assigning the contents check value gen- 
erated to contents data containing the content block da- 
ta to be verified. 

[0176] Furthermore, another embodiment of the con- 
tents data verification value assignment method of the 
present invention is characterized by generating, when 
the contents block data contains a plurality of parts and 
it is one part that needs to be verified, a contents check 
value by executing encryption processing applying the 
contents check value generation key to a value obtained 
by carrying out an exclusive-OR in units of a predeter- 
mined number of bytes on the entire decrypted state- 
ment obtained by decryption processing of parts to be 
verified in the case where the parts to be verified is en- 
crypted, generating a contents check value by executing 
encryption processing applying the contents check val- 
ue generation key to a value obtained by carrying out 
an exclusive-OR in units of a predetermined number of 



bytes on the entire part to be verified in the case where 
the parts to be verified is not encrypted and assigning 
the contents check value generated to the contents data 
containing the contents block data to be verified. 
5 [01 77] Furthermore, another embodiment of the con- 
tents data verification value assignment method of the 
present invention is characterized by using, when the 
contents block data contains a plurality of parts and it is 
a plurality of parts that needs to be verified, as a contents 
check value, the result obtained by executing encryption 
processing further applying the contents check value 
generation key to link data of a parts check value ob- 
tained by executing encryption processing applying the 
contents check value generation key to each part and 
assigning the contents check value generated to con- 
tents data containing the contents block data to be ver- 
ified. 

[0178] A twenty fourth aspect of the present invention 
is a program supply medium that supplies a computer 
program to execute data processing on contents data 
supplied via a recording medium or communication me- 
dium, with the computer program comprising a step of 
generating a contents check value in units of contents 
block data to be verified included in the data, and a step 
of executing collation processing on the contents check 
value generated and thereby executing verification 
processing on the validity in units of contents block data 
in the data. 

[0179] A twenty fifth aspect of the present invention 
is a data processing apparatus for executing processing 
for generating storing data with respect to a recording 
device of content data, which has a plurality of content 
blocks in which at least a part of the blocks are encrypted 
and a header section storing information on the contents 
blocks, which is characterized in that 

in the case in which content data to be an object 
of storage in the recording device is structured by data 
stored in the header section, which is an encryption key 
data Kdis[Kcon] that is an encryption key Kcon of the 
content block applied encryption processing by an en- 
cryption key Kdis, 

the data processing apparatus has a structure for 
executing processing for taking out the encryption key 
data Kdis[Kcon] from the header section and executing 
decryption processing to generate decryption data 
Kcon, generating a new encryption key data KstrfKcon] 
that is applied encryption processing by an encryption 
key Kstr and storing the new encryption key data Kstr 
[Kcon] in the header section of the content data, and 
applying a different encryption key Kstr to the generated 
decryption data Kcon to execute encryption processing. 
[0180] A twenty sixth aspect of the present invention 
is a data processing apparatus for executing processing 
for generating storing data with respect to a recording 
device of content data, which has a plurality of content 
blocks in which at least a part of the blocks are encrypted 
and a header section storing information on the contents 
blocks, which is characterized in that: in the case in 



15 



20 



25 



30 



35 



40 



45 



50 



55 



BNSDOCID: <EP 1195734A1_L> 



33 



EP 1 195 734 A1 



which the content block included in content data to be 
an object of storage with respect to the recording device 
is composed of contents encrypted by an encryption key 
Kblc and encryption key data Kcon[Kblc] that is encrypt- 
ed by the encryption key Kcon, and has a structure in 
which encryption key data KdisfKcon] that is the encryp- 
tion key Kcon applied encryption processing by an en- 
cryption key Kdis is stored in the header section, the 
data processing apparatus has a structure for executing 
processing for taking out the encryption key data Kdis 
[Kcon] from the header section and executing decryp- 
tion processing to generate decryption data Kcon, gen- 
erating an encryption key data Kstr[Kcon] that is applied 
encryption processing by an encryption key Kstr and 
storing the encryption key data Kstr[Kcon] in the header 
section of the content data, and applying a different en- 
cryption key Kstr to the generated decryption data Kcon 
to execute encryption processing. 
[0181] In addition, a twenty seventh aspect of the 
present invention is a data processing apparatus for ex- 
ecuting processing for generating storing data with re- 
spect to a recording device of content data, which has 
a plurality of content blocks in which at least a part of 
the blocks are encrypted and a header section storing 
information on the contents blocks, characterized in 
that: in the case in which the content block included in 
content data to be an object of storage with respect to 
the recording device is composed of contents encrypted 
by an encryption key Kblc and encryption key data Kdis 
[Kblc] that is encrypted by the encryption key Kdis, the 
data processing apparatus has a structure for executing 
processing for taking out the encryption key data Kdis 
[Kblc] from the content block section and executing de- 
cryption processing of the encryption key Kblc to gen- 
erate decryption data Kblc, generating an encryption 
key data Kstr[Kblc] that is applied encryption processing 
by an encryption key Kstr and storing the encryption key 
data KstrfKblc] in a contents block section, and applying 
a different encryption key Kstr to the generated decryp- 
tion data Kblc to execute encryption processing. 
[0182] In addition, a twenty eighth aspect of the 
present invention is a content data generating method 
for generating content data, which comprises: coupling 
a plurality of content blocks composed of data including 
at least any one of voice information, image information 
and program data; applying encryption processing to at 
least a part of content blocks included in the plurality of 
content blocks by an encryption key Kcon; generating 
encryption key data Kdis[Kcon] that is the encryption 
key Kcon applied encryption processing by an encryp- 
tion key Kdis and storing the encryption key Kdis in a 
header section of the content data; and generating con- 
tent data including the plurality of content blocks and the 
header section. 

[01 83] I n addition , an embodiment of the content data 
generating method of the present invention is charac- 
terized by further comprising processing for generating 
block information storing information including identifi- 



cation information of content data, data length of content 
data, usage policy information including data types of 
content data, data length of the content block, and pres- 
ence or absence of encryption processing, and storing 

5 the block information in the header section. 

[0184] In addition, an embodiment of the content data 
generating method of the present invention is charac- 
terized in that the content data generating method com- 
prises processing for further generating a part check val- 

10 ue based on a part of information composing the header 
section and storing the part check value in the header 
section, and further generating a total check value 
based on the part check value and storing the total 
check value in the header section. 

is [01 85] In addition, an embodiment of the content data 
generating method of the present invention is charac- 
terized in that the generation processing of the part 
check value and the generation processing of the total 
check value applies and executes a DES encryption 

20 processing algorithm with data to be an object of check 
as a message and a check value generating key as an 
encryption key. 

[01 86] In addition, an embodiment of the content data 
generating method of the present invention is charac- 

25 terized in that the content data generating method fur- 
ther applies encryption processing to the block informa- 
tion by the encryption key Kbit, and stores the encryption 
key data Kdis[Kbit] that is the encryption key Kbit gen- 
erated by the encryption key Kdis in the header section. 

30 [0187] In addition, an embodiment of the content data 
generating method of the present invention is charac- 
terized in that each block of the plurality of blocks in the 
content block is generated as a common fixed data 
length. 

35 [0188] In addition, an embodiment of the content data 
generating method of the present invention is charac- 
terized in that each block of the plurality of blocks in the 
content block is generated with a structure in which an 
encryption data section and a non-encryption section 
40 are arranged regularly. 

[0189] A twenty ninth aspect of the present invention 
is the content data generating method for generating 
content data which comprises: coupling a plurality of 
content blocks including at least any one of voice infor- 
ms mation, image information and program data; compos- 
ing at least a part of the plurality of content blocks by an 
encryption data section that is data including at least any 
one of voice information, image information and pro- 
gram data by an encryption key Kblc, and a set of en- 
50 cryption key data Kcon[Kblc] that is the encryption key 
Kblc of the encryption data section applied encryption 
processing by an encryption key Kcon; generating en- 
cryption key data Kdis[Kcon] that is the encryption key 
Kcon applied encryption processing by an encryption 
55 key Kdis and storing the generated the encryption key 
data Kdis[Kcon] in a header of the content data; and 
generating content data including a plurality of content 
blocks and a header section. 
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[01 90] A thirtieth aspect of the present invention is the 
content data generating method for generating content 
data which comprises: coupling a plurality of content 
blocks including at least any one of voice information, 
image information and program data; composing at 5 
least a part of the plurality of content blocks by an en- 
cryption data section that is data including at least one 
of voice information, image information and program da- 
ta by an encryption key Kblc, and a set of encryption key 
data Kdis[Kblc] that is the encryption key Kblc of the en- 10 
cryption data section applied encryption processing by 
an encryption key Kdis; and generating content data in- 
cluding a plurality of content blocks and a header sec- 
tion. 

[0191] A thirty first aspect of the present invention is 15 
a data processing method for executing processing for 
storing in a recording device content data having a plu- 
rality of content blocks in which at least a part of blocks 
are encrypted, and a header in which information on the 
content blocks is stored, which comprises; in the case 20 
in which content data to be an object of storage in the 
recording device is structured by data stored in the 
header section, which is an encryption key data Kdis 
[Kcon] that is an encryption key Kcon of the content 
block applied encryption processing by an encryption 
key Kdis, taking out the encryption key data Kdis[Kcon] 
from the header section and executing decryption 
processing to generate decryption data Kcon; generat- 
ing a new encryption key data Kstr[Kcon] that is applied 
encryption processing by an encryption key Kstr by ap- 
plying a different encryption key Kstr to the generated 
decryption data Kcon to execute encryption processing; 
and storing the generated encryption key data Kstr 
[Kcon] in a header section of the content data, and stor- 
ing the header section in the recording device together 
with the plurality of content blocks. 
[01 92] A thirty second aspect of the present invention 
is a data processing method for executing processing 
for storing in a recording device content data having a 
plurality of content blocks in which at least a part of 
blocks are encrypted, and a header in which information 
on the content blocks is stored, which comprises: in the 
case in which the content block included in content data 
to be an object of storage with respect to the recording 
device is composed of contents encrypted by an encryp- 
tion key Kblc and encryption key data Kcon[Kblc] that is 
encrypted by the encryption key Kcon, and has a struc- 
ture in which encryption key data Kdis[Kcon] that is the 
encryption key Kcon applied encryption processing by 
an encryption key Kdis is stored in the header section, 
taking out the encryption key data Kdis[Kcon] from the 
header section and executing decryption processing to 
generate decryption data Kcon; generating a new en- 
cryption key data KstrfKcon] that is applied encryption 
processing by an encryption key Kstr by applying a dif- 
ferent encryption key Kstr to the generated decryption 
data Kcon to execute decryption processing; and storing 
the generated encryption key data Kstr[Kcon] in a head- 



er section of the content data, and storing the header 
section in the recording device together with the plurality 
of content blocks. 

[01 93] A thirty third aspect of the present invention is 
a data processing method for executing processing for 
storing in a recording device content data having a plu- 
rality of content blocks in which at least a part of blocks 
are encrypted, and a header in which information on the 
content blocks is stored, which comprises: in the case 
in which the content block included in content data to be 
an object of storage with respect to the recording device 
is composed of contents encrypted by an encryption key 
Kblc and encryption key data KdisfKbic] that is encrypt- 
ed by the encryption key Kdis, taking out the encryption 
key data Kdis[Kblc] from the content block section and 
executing decryption processing of the encryption key 
Kblc to generate decryption data Kbic; generating an en- 
cryption key data KstnXblc] that is applied encryption 
processing by an encryption key Kstr by applying a dif- 
ferent encryption key Kstr to the generated decryption 
data Kblc to execute decryption processing; and storing 
the generated encryption key data Kstr[Kbic] in a con- 
tent block section, and storing the content block section 
in the recording device together with the plurality of con- 
tent blocks. 

[0194] A thirty fourth aspect of the present invention 
is a program providing medium for providing a computer 
program causing generation processing of storing data 
with respect to a recording device of content data, which 
has a plurality of content blocks in which at least a part 
of the blocks are encrypted and a header section storing 
information on the contents blocks, to be executed on a 
computer system, which is characterized in that: the 
computer program comprises: in the case in which con- 
tent data to be an object of storage in the recording de- 
vice is structured by data stored in the header section, 
which is an encryption key data Kdis[Kcon] that is an 
encryption key Kcon of the content block applied en- 
cryption processing by an encryption key Kdis, a step of 
taking out the encryption key data Kdis[Kcon] from the 
header section and executing decryption processing to 
generate decryption data Kcon; generating a new en- 
cryption key data KstrtKcon] that is applied encryption 
processing by an encryption key Kstr by applying a dif- 
ferent encryption key Kstr to the generated decryption 
data Kcon to execute decryption processing; and storing 
the generated encryption key data Kstr[Kcon] in a head- 
er section of the content data. 

[0195] A thirty fifth aspect of the present invention is 
a data processing apparatus for performing reproduc- 
tion processing of content data provided by a storage 
medium or a communication medium, which is charac- 
terized by comprising: a content data analyzing section 
for executing content data analysis of content data in- 
cluding compressed contents and an expansion 
processing program of the compressed contents, and 
executing extraction processing of the compressed con- 
tents and the expansion processing program from the 
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content data; and an expansion processing section for 
executing expansion processing of the content data in- 
cluded in the content data using an expansion process- 
ing program included in the content data obtained as a 
result of the analysis of the content data analyzing sec- 5 
tion. 

[0196] In addition, in one embodiment of the data 
processing apparatus of the present invention, the data 
processing apparatus is characterized by further com- 
prising: a data storing section for storing the com- 10 
pressed contents that are extracted by the content data 
analyzing section; and a program storing section for 
storing the expansion processing program extracted by 
the content data analyzing section, and characterized 
in that the expansion processing section has a configu- ?5 
ration for executing expansion processing with respect 
to the compressed contents stored in the data storing 
section by applying the expansion processing program 
stored in the program storing section to the compressed 
contents. 20 
[0197] In addition, in one embodiment of the data 
processing apparatus of the present invention, the data 
processing apparatus is characterized in that the con- 
tents data analyzing section has a configuration for ob- 
taining a configuration information of content data based 25 
on header information included in the content data and 
performing analysis of the content data. 
[0198] In addition, in one embodiment of the data 
processing apparatus of the present invention, the data 
processing apparatus is characterized in that reproduc- 20 
tion priority information of the compressed contents is 
included in the header information and, if there are a 
plurality of compressed contents that is objects of ex- 
pansion processing in the expansion processing sec- 
tion, the expansion processing section has a configura- 35 
tion for sequentially executing content expansion 
processing in accordance with the priority based on the 
priority information in the header information obtained 
in the content data analyzing section. 

[0199] In addition, in one embodiment of the data 40 
processing apparatus of the present invention, the data 
processing apparatus is characterized by further com- 
prising: displaying means for displaying information of 
the compressed contents that are objects of expansion 
processing; and inputting means for inputting reproduc- 45 
tion contents identification data selected from the con- 
tent information displayed on the displaying means, and 
characterized in that the expansion processing section 
has a configuration for executing expansion processing 
of the compressed contents corresponding to the iden- 50 
tificatioh data based on the reproduction contents iden- 
tification data inputted from the inputting means. 
[0200] In addition, a thirty sixth aspect of the present 
invention is a data processing apparatus for performing 
reproduction processing of content data provided by a 55 
storage medium or a communication medium, which is 
characterized by comprising: a content data analyzing 
section for receiving content data including either com- 



pressed contents or expansion processing program, 
distinguishing whether the content data has the com- 
pressed contents or the expansion processing program 
from header information included in the received con- 
tent data and, at the same time, if the content data has 
the compressed contents, obtaining a type of a com- 
pressing processing program applied to the com- 
pressed contents from the header information of the 
content data, and if the content data has the expansion 
processing program, obtaining a type of the expansion 
processing program from the header information of the 
content data; an expansion processing section for exe- 
cuting expansion processing of the compressed con- 
tents, characterized in that the expansion processing 
section has a configuration for selecting an expansion 
processing program applicable to the type of the com- 
pression processing program of the compressed con- 
tents analyzed by the content data analyzing section 
based on the type of the expansion processing program 
analyzed by the content data analyzing section, and ex- 
ecuting expansion processing by the selected expan- 
sion processing program. 

[0201] In addition, in one embodiment of the data 
processing apparatus of the present invention, the data 
processing apparatus is characterized by further com- 
prising: a data storing section for storing the com- 
pressed contents that are extracted by the content data 
analyzing section; and a program storing section for 
storing the expansion processing program extracted by 
the content data analyzing section, and characterized 
in that the expansion processing section has a configu- 
ration for executing expansion processing with respect 
to the compressed contents stored in the data storing 
section by applying the expansion processing program 
stored in the program storing section to the compressed 
contents. 

[0202] In addition, in one embodiment of the data 
processing apparatus of the present invention, the data 
processing apparatus is characterized in that reproduc- 
tion priority information of the compressed contents is 
included in the header information and, if there are a 
plurality of compressed contents that is objects of ex- 
pansion processing, content expansion processing in 
the expansion processing section has a configuration 
for sequentially executing content expansion process- 
ing in accordance with the priority based on the priority 
information in the header information obtained in the 
content data analyzing section. 

[0203] In addition, in one embodiment of the data 
processing apparatus of the present invention, the data 
processing apparatus is characterized by further com- 
prising retrieving means for retrieving an expansion 
processing program, and characterized in that the re- 
trieving means has a configuration for retrieving an ex- 
pansion processing program applicable to a type of the 
compression processing program of the compressed 
contents analyzed by the content data analyzing section 
with program storing means accessible by the data 
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processing apparatus as an object of retrieval. 
[0204] In addition, in one embodiment of the data 
processing apparatus of the present invention, the data 
processing apparatus is characterized by further com- 
prising: displaying means for displaying information of 
the compressed contents that are objects of expansion 
processing; and inputting means for inputting reproduc- 
tion contents identification data selected from the con- 
tent information displayed on the displaying means, and 
characterized in that the expansion processing section 
has a configuration for executing expansion processing 
of the compressed contents corresponding to the iden- 
tification data based on the reproduction contents iden- 
tification data inputted from the inputting means. 
[0205] In addition, a thirty seventh aspect of the 
present invention is a data processing method for per- 
forming reproduction processing of content data provid- 
ed by a storage medium or a communication medium, 
which is characterized by comprising: a content data an- 
alyzing step of executing content data analysis of con- 
tent data including compressed contents and an expan- 
sion processing program of the compressed contents, 
and executing extraction processing of the compressed 
contents and the expansion processing program from 
the content data; and an expansion processing step of 
executing expansion processing of the content data in- 
cluded in the content data using an expansion process- 
ing program included in the content data obtained as a 
result of the analysis of the content data analyzing sec- 
tion. 

[0206] In addition, in one embodiment of the data 
processing method of the present invention, the data 
processing method is characterized by further compris- 
ing: a data storing step of storing the compressed con- 
tents that are extracted by the content data analyzing 
section: and a program storing step of storing the ex- 
pansion processing program extracted by the content 
data analyzing section, and characterized in that the ex- 
pansion processing section has a configuration for ex- 
ecuting expansion processing with respect to the com- 
pressed contents stored in the data storing step by ap- 
plying the expansion processing program stored in the 
program storing step to the compressed contents. 
[0207] In addition, in one embodiment of the data 
processing method of the present invention, the data 
processing method is characterized in that the contents 
data analyzing step obtains a configuration information 
of content data based on header information included 
in the content data and performs analysis of the content 
data. 

[0208] In addition, in one embodiment of the data 
processing method of the present invention, the data 
processing method is characterized in that reproduction 
priority information of the compressed contents is in- 
cluded in the header information and, if there are a plu- 
rality of compressed contents that is objects of expan- 
sion processing in the expansion processing section, 
the expansion processing step sequentially executes 



content expansion processing in accordance with the 
priority based on the priority information in the header 
information obtained in the content data analyzing step. , 
[0209] In addition, in one embodiment of the data 

5 processing method of the present invention, the data 
processing method is characterized by further compris- 
ing: displaying step of displaying information of the com- 
pressed contents that are objects of expansion process- 
ing on displaying means; and inputting step of inputting 

w reproduction contents identification data selected from 
the content information displayed on the displaying 
means, and characterized in that the expansion 
processing step executes expansion processing of the 
compressed contents corresponding to the identifica- 

15 tion data based on the reproduction contents identifica- 
tion data inputted from the inputting step. 
[0210] in addition, a ihiny eighth aspect of the present 
invention is a data processing method for performing re- 
production processing of content data provided by a 

20 storage medium or a communication medium, which is 
characterized by comprising: a content data analyzing 
step of receiving content data including either com- 
pressed contents or expansion processing program, 
distinguishing whether the content data has the com- 

25 pressed contents or the expansion processing program 
from header information included in the received con- 
tent data and, at the same time, if the content data has 
the compressed contents, obtaining a type of a com- 
pressing processing program applied to the corn- 

30 pressed contents from the header information of the 
content data, and if the content data has the expansion 
processing program, obtaining a type of the expansion 
processing program from the header information of the 
content data; a selecting step of selecting an expansion 

35 processing program applicable to the type of the com- 
pression processing program of the compressed con- 
tents analyzed in the content data analyzing step based 
on the type of the expansion processing program ana- 
lyzed in the content data analyzing step; and an expan- 

40 sion processing step of executing expansion processing 
by the expansion processing program selected in the 
selecting step. 

[0211] In addition, in one embodiment of the data 
processing method of the present invention, the data 

45 processing method is characterized by further compris- 
ing: a data storing step of storing the compressed con- 
tents that are extracted by the content data analyzing 
section; and a program storing step of storing the ex- 
pansion processing program extracted by the content 

50 data analyzing section, and characterized in that the ex- 
pansion processing step executes expansion process- 
ing with respect to the compressed contents stored in 
the data storing step by applying the expansion process- 
ing program stored in the program storing step to the 

55 compressed contents. 

[0212] In addition, in one embodiment of the data 
processing method of the present invention, the data 
processing method is characterized in that reproduction 
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priority information of the compressed contents is in- 
cluded in the header information and, if there are a plu- 
rality of compressed contents that is objects of expan- 
sion processing, the content expansion processing step 
sequentially executes content expansion processing in 
accordance with the priority based on the priority infor- 
mation in the header information obtained in the content 
data analyzing step. 

[0213] In addition, in one embodiment of the data 
processing method of the present invention, the data 
processing method is characterized by comprising a re- 
trieving step of retrieving an expansion processing pro- 
gram, and characterized in that the retrieving step re- 
trieves an expansion processing program applicable to 
a type of the compression processing program of the 
compressed contents analyzed in the content data an- 
alyzing step with program storing means accessible by 
the data processing apparatus as an object of retrieval. 
[0214] In addition, in one embodiment of the data 
processing method of the present invention, the data 
processing method is characterized by further compris- 
ing: a displaying step of displaying information of the 
compressed contents that are objects of expansion 
processing; and an inputting step of inputting reproduc- 
tion contents identification data selected from the con- 
tent information displayed on the displaying means, and 
characterized in that the expansion processing step ex- 
ecutes expansion processing of the compressed con- 
tents corresponding to the identification data based on 
the reproduction contents identification data inputted 
from the inputting means. 

[0215] In addition, a thirty ninth aspect of the present 
invention is a content data generating method for per- 
forming generation processing of content data provided 
by a storage medium or a communication medium, 
which is characterized by generating content data in 
which compressed contents and an expansion process- 
ing program of the compressed contents are combined. 
[0216] In addition, in one embodiment of the content 
data generating method of the present invention, the 
content data generating method is characterized in that 
a configuration information of the content data is added 
as header information of the content data. 
[0217] In addition, in one embodiment of the content 
data generating method of the present invention, the 
content data generating method is characterized in that 
reproduction priority information of contents included in 
the content data as header information of the content 
data. 

[0218] In addition, a fortieth aspect of the present in- 
vention is a content data generating method for perform- 
ing generation processing of content data provided by 
a storage medium or a communication medium, which 
is characterized in that content data is generated in 
which a type of content data for identifying whether the 
content data has compressed contents or an expansion 
processing program is added as header information; if 
the content data has compressed contents, a type of a 



compression processing program applied to the com- 
pressed contents is added as header information; and 
if the content data has an expansion processing pro- 
gram, a type of an expansion processing program is 

5 added as header information. 

[0219] In addition, in one embodiment of the content 
data generating method of the present invention, the 
content data generating method is characterized in that 
reproduction priority information of contents included in 

10 the content data is added as header information of the 
content data. 

[0220] In addition, a forty first aspect of the present 
invention is a program providing medium for providing 
a computer program that causes a computer system to 
15 execute reproduction processing of content data provid- 
ed by a storage medium or a communication medium, 
which is characterized by comprising: a content data an- 
alyzing step of executing content data analysis of con- 
tent data including compressed contents and an expan- 
sion processing program of the compressed contents, 
and executing extraction processing of the compressed 
contents and the expansion processing program from 
the content data; and an expansion processing step of 
executing expansion processing of the content data in- 
cluded in the content data using an expansion process- 
ing program included in the content data obtained as a 
result of the analysis of the content data analyzing sec- 
tion. 

[0221] The program providing medium in accordance 
with the present invention is, for example, a medium for 
providing a computer program in a computer readable 
form to a general purpose computer system that can ex- 
ecute various program codes. A form of the medium is 
a storage medium such as a CD, an FD or an MO, or a 
transmission medium such as a network, and is not spe- 
cifically limited. 

[0222] Such a program providing medium defines a 
structural or functional cooperative relationship be- 
tween a computer program and a providing medium for 
realizing a predetermined function of the computer pro- 
gram on a computer system. In other words, a cooper- 
ative operation is shown on the computer system by in- 
stalling the computer program in the computer system 
via the providing medium, and operational effects simi- 
lar to other aspects of the present invention can be ob- 
tained. 

[0223] Other objects, features, and advantages of the 
present invention will be seen from the detailed expla- 
nation based on the embodiment and attached drawings 
of the present invention described later. 
[0224] As described above, according to the data 
processing apparatus and method and data-verifying- 
value-imparting method of the present invention, partial 
integrity check values generated as integrity check val- 
ues for a partial data set containing one or more partial 
data obtained by dividing content data into a plurality of 
pieces are used for a collation process to verify the par- 
tial data, and a partial-integrity-check-value -verifying 
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integrity check values used to verify a partial integrity 
check value set comprising a combination of a plurality 
of partial integrity check values are used for a collation 
process to verify the entirety of a plurality of partial data 
sets corresponding to a plurality of partial integrity check 
values constituting a partial integrity check value set. 
Consequently, compared to a configuration for impart- 
ing a single integrity check value to the entire content 
data, partial verification is achieved and the entire veri- 
fication process is efficient due to the use of the partial 
integrity check values. 

[0225] Further, according to the data processing ap- 
paratus and method and data-verifying-value-imparting 
method of the present invention, the verification process 
can be executed depending on how content data are 
used, for example, whetherthe data are to be download- 
ed or reproduced; tor example, a verification process for 
a data portion that is unlikely to be tampered can be 
omitted. Therefore, efficient verification is achieved de- 
pending on how data are used. 

[0226] Furthermore, the data processing apparatus 
and data processing method of the present invention are 
configured in such a way that individual keys necessary 
to execute encryption processing such as data encryp- 
tion, data decryption, data verification, authentication 
processing and signature processing are not stored in 
a storage section, master keys to generate these indi- 
vidual keys are stored in the storage section instead, the 
encryption processing section of the data processing 
apparatus extracts the master keys corresponding to 
these individual keys such as encryption keys and au- 
thentication keys from the storage section as required, 
executes encryption processing applying a DES algo- 
rithm, etc. based on the extracted master keys and iden- 
tification data of the apparatus or data and generates 
individual keys such as an encryption key and authen- 
tication key, and therefore the present invention elimi- 
nates the possibility of the individual keys themselves 
leaking from the storage section and enhances the se- 
curity of an encryption processing system because ac- 
quiring the individual keys will require a plurality of in- 
formation pieces such as information of both individual 
key generation algorithm and master keys, identification 
data of the apparatus or data. Moreover, even if an in- 
dividual key is leaked for some reasons, the range of 
damage is limited to the range of the individual key, 
which will not lead to collapse of the entire system. 
[0227] Furthermore, the data processing apparatus, 
data processing system and data processing method of 
the present invention is configured in such a way that 
individual keys are sequentially generated based on the 
identification data of the apparatus or data, which elim- 
inates the need to maintain the list of keys applied to 
individual apparatuses in a control apparatus, facilitat- 
ing system control as well as enhancing the security. 
[0228] Furthermore, according to the data processing 
apparatus, data processing method and contents data 
generation method of the present invention, illegal de- 



vice identification data information is stored in contents 
data, collation between an illegal device list and the re- 
corder/reproducer identifier of the recorder/reproducer 
attempting to use the contents is executed prior to the 
5 use of the contents by the recorder/reproducer, and in 
the case where the collation result shows that some en- 
tries of the illegal device list match the recorder/repro- 
ducer identifier, the subsequent processing : for exam- 
ple, contents data decryption, downloading or reproduc- 
10 tion processing, etc. is stopped, thus making it possible 
to prevent a reproducer, etc. that has illegally acquired 
a key from illegally using contents. 
[0229] Furthermore, the data processing apparatus, 
data processing method and contents data generation 
15 method of the present invention adopt a configuration 
allowing the contents data to include check values to- 
gether for The HieQal device list in the content data, mak- 
ing impossible to prevent tampering of the list itself and 
provide a contents data utilization configuration with en- 
20 hanced security. 

[0230] Furthermore, the data processing apparatus 
and data processing method of the present invention al- 
lows a data processing apparatus such as a recorder/ 
reproducer and PC to store an apparatus-specific key, 
25 which is specific to the data processing apparatus and 
a system common key, which is common to other data 
processing apparatuses using contents data, making it 
possible to process contents according to contents uti- 
lization restrictions. The data processing apparatus se- 
30 lectively uses these two keys according to contents uti- 
lization restrictions. For example, in the case where the 
contents are only available to the data processing ap- 
. paratus, the key specific to the data processing appara- 
tus is used, while in the case where the contents are 
35 also available to other systems, a check value for the 
contents data is generated and collation processing is 
performed using the system common key. It is possible 
to decrypt and reproduce the encrypted data only when 
the collation is established, thus allowing processing ac- 
40 cording to contents utilization restrictions such as con- 
tents only available to the data processing apparatus or 
contents commonly available to the system, etc. 
[0231] Furthermore, the data processing apparatus, 
data processing method and contents data verification 
45 value assignment method of the present invention is 
configured to generate a contents check value in units 
of contents block data, execute collation processing on 
the contents check value generated, generate a con- 
tents intermediate value based on the contents block 
50 data to be verified and generate a contents check value 
through encryption processing applying a contents 
check value generation key, thus allowing efficient ver- 
ification compared to conventional processing on entire 
data. 

55 [0232] Furthermore, the data processing apparatus, 
data processing method and contents data verification 
value assignment method of the present invention al- 
lows verification in contents block units and simplified 
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verification processing according to download process- 
ing and reproduction processing, etc. providing efficient 
verification according to the mode of use. 
[0233] Furthermore, since the data processing appa- 
ratus, the content data generating method, and the data 
processing method of the present invention is made to 
have the configuration that is provided with the plurality 
of content blocks in the content data and enables en- 
cryption processing for a unit of each content block, and 
also have the configuration in which the key used for 
content encryption is further encrypted and stored in the 
header section, even if, for example, a plurality of con- 
tent blocks exist and blocks requiring encryption 
processing and blocks not requiring encryption process- 
ing are mixed, it becomes possible to have an arbitrary 
data structure that couples each block. 
[0234] In addition, according to the data processing 
apparatus, the data processing system, and the data 
processing method of the present invention, by making 
the configuration of the content block to be a regular 
configuration, for example, a configuration having a uni- 
form data length, or a configuration in which the encryp- 
tion block and the non-encryption (plaintext) block are 
alternately disposed, decryption processing and the like 
of the content block can be promptly executed, and en- 
cryption content data suitable for processing corre- 
sponding to contents of the content data, for example, 
reproduction and the like of music data can be provided. 
[0235] Furthermore, the data processing apparatus, 
the data processing method and the content data gen- 
erating method can efficiently execute reproduction 
processing in the case in which contents are com- 
pressed voice data, image data or the like. That is, by 
making a configuration of content data to be one in 
which compressed data and an expansion processing 
program are combined, expansion processing, to which 
an expansion processing program incidental to com- 
pressed content data is applied, is made possible in the 
reproduction processing apparatus, and a situation in 
which the expansion processing program does not exist 
in the reproduction processing apparatus and reproduc- 
tion cannot be performed can be avoided. 
[0236] Moreover, according to the data processing 
apparatus, the data processing method and the content 
data generating means, since a configuration of content 
data has a configuration in which the reproduction 
processing apparatus determines the expansion 
processing program applicable to the compressed con- 
tent data based on the header information, and the re- 
production processing apparatus further retrieves a pro- 
gram applicable from accessible recording media or the 
like and executes expansion processing by making con- 
tent data to be a combination of compressed data and 
the header section storing the type of the compression 
processing program, or, if the contents has the expan- 
sion processing program, a combination of the expan- 
sion processing program and the header storing the 
type of the program, program retrieving processing does 



not need to be executed by a user, and efficient repro- 
duction processing becomes possible. 

Brief Description of the Drawings 

[0237] 

Fig. 1 is a view showing the configuration of a con- 
ventional data processing system. 
Fig. 2 is a view showing the configuration of a data 
processing apparatus to which the present inven- 
tion is applied. 

Fig. 3 is a view showing the configuration of a data 
processing apparatus to which the present inven- 
tion is applied. 

Fig. 4 is a view showing a data format of content 
data on a medium or a communication path. 
Fig. 5 is a view showing a usage policy contained 
in a header of content data. 

Fig. 6 is a view showing block information contained 
in a header of content data. 

Fig. 7 is a view showing an electronic signature gen- 
erating method using the DES. 
Fig. 8 is a view showing an electronic signature gen- 
erating method using the Triple DES. 
Fig. 9 is a view useful in explaining the aspect of the 
Triple DES. 

Fig. 10 is a view showing an electronic signature 
generating method partly using the Triple DES. 
Fig. 11 is a view showing a process flow of electronic 
signature generation. 

Fig. 1 2 is a view showing a process flow of electron- 
ic signature generation. 

Fig. 13 is a view useful in explaining a mutual au- 
thentication process sequence using a symmetrical 
cryptography technique. 

Fig. 14 is a view useful in explaining a public key 
certificate. 

Fig. 15 is a view useful in explaining a mutual au- 
thentication process sequence using an asymmet- 
rical cryptography technique. 
Fig. 1 6 is a view showing a process flow of an en- 
cryption process using elliptic curve cryptography. 
Fig. 17 is a view showing a process flow of a de- 
cryption process using elliptic curve cryptography. 
Fig. 1 8 is a view showing how data are held on a 
recording and reproducing device. 
Fig. 19 is a view showing how data are held on a 
recording device. 

Fig. 20 is a view showing a process flow of mutual 
authentication between the recording and repro- 
ducing device and the recording device. 
Fig. 21 is a view showing the relationship between 
a master key of the recording and reproducing de- 
vice and a corresponding master key of the record- 
ing device. 

Fig. 22 is a view showing a process flow of a content 
download process. 
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Fig. 23 is a view useful in explaining a method for 
generating an integrity check value A: ICVa. 
Fig. 24 is a view useful in explaining a method for 
generating an integrity check value B: ICVb. 
Fig. 25 is a view useful in explaining a method for 5 
generating a total integrity check value and an in- 
tegrity check value unique to the recording and re- 
producing device. 

Fig. 26 is a view showing a format of content data 
stored in the recording device (localization field = 0). 10 
Fig. 27 is a view showing a format of content data 
stored in the recording device (localization field = 1 ). 
Fig. 28 is a view showing a process flow of a content 
reproduction process. 

Fig. 29 is a view useful in explaining a method by *5 
which the recording device executes commands. 
Fig. 30 is a view usefui in explaining a method by 
which the recording device executes commands in 
a content storage process. 

Fig. 31 is a view useful in explaining a method by 20 
which the recording device executes commands in 
a content reproduction process. 
Fig. 32 is a view useful in explaining the configura- 
tion of a content data format type 0. 
Fig. 33 is a view useful in explaining the configura- 25 
tion of a content data format type 1 . 
Fig. 34 is a view useful in explaining the configura- 
tion of a content data format type 2. 
Fig. 35 is a view useful in explaining the configura- 
tion of a content data format type 3. 
Fig. 36 is a view useful in explaining a method for 
generating a content integrity check value IDVi for 
the format type 0. 

Fig. 37 is a view useful in explaining a method for 
generating a content integrity check value IDVi for 35 
the format type 1 . 

Fig. 38 is a view useful in explaining a total integrity 
check value and an integrity check value unique to 
the recording and reproducing device for the format 
types 2 and 3. 40 
Fig. 39 is a view showing a process for downloading 
a content of the format type 0 or 1 . 
Fig. 40 is a view showing a process for downloading 
a content of the format type 2. 

Fig. 41 is a view showing a process for downloading *s 

a content of the format type 3. 

Fig. 42 is a view showing a process for reproducing 

a content of the format type 0. 

Fig. 43 is a view showing a process for reproducing 

a content of the format type 1 . 50 

Fig. 44 is a view showing a process for reproducing 

a content of the format type 2. 

Fig. 45 is a view showing a process for reproducing 

a content of the format type 3. 

Fig. 46 is a view (1) useful in explaining a method 55 
by which a content generator and a content verifier 
generate integrity check values and execute verifi- 
cation using them. 



Fig. 47 is a view (2) useful in explaining a method 
by which the content generator and the content ver- 
ifier generate integrity check values and execute 
verification using them. 

Fig. 48 is a view (3) useful in explaining a method 
by which the content generator and the content ver- 
ifier generate integrity check values and execute 
verification using them. 

Fig. 49 is a view useful in explaining a method for 
individually generating various keys using master 
keys. 

Fig. 50 is a view (example 1) showing an example 
of a process executed by a content provider and a 
user in conjunction with the method for individually 
generating various keys using master keys. 
Fig. 51 is a view (example 2) showing an example 
of a process executed by the content provider and 
the user in conjunction with the method for individ- 
ually generating various keys using master keys. 
Fig. 52 is a view useful in explaining a configuration 
for executing localization using different master 
keys. 

Fig. 53 is a view (example 3) showing an example 
of a process executed by the content provider and 
the user in conjunction with the method for individ- 
ually generating various keys using master keys. 
Fig. 54 is a view (example 4) showing an example 
of a process executed by the content provider and 
the user in conjunction with the method for individ- 
ually generating various keys using master keys. 
Fig. 55 is a view (example 5) showing an example 
of a process executed by the content provider and 
the user in conjunction with the method for individ- 
ually generating various keys using master keys. 
Fig. 56 is a view showing a flow of a process for 
storing a cryptography key with the Triple DES ap- 
plied thereto, using the Single DES algorithm. 
Fig. 57 is a view showing a content reproduction 
process flow (example 1 ) based on priority. 
Fig. 58 is a view showing a content reproduction 
process flow (example 2) based on priority. 
Fig. 59 is a view showing a content reproduction 
process flow (example 3) based on priority. 
Fig. 60 is a view useful in explaining a configuration 
for executing a process for decrypting (decom- 
pressing) compressed data during the content re- 
production process. 

Fig. 61 is a view showing an example of the config- 
uration of a content (example 1). 
Fig. 62 is a view showing a reproduction process 
flow in the example 1 of the configuration of the con- 
tent. 

Fig. 63 is a view showing an example of the config- 
uration of a content (example 2). 
Fig. 64 is a view showing a reproduction process 
flow in the example 2 of the configuration of the con- 
tent. 

Fig. 65 is a view showing an example of the conf ig- 
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uration of a content (example 3). 
Fig. 66 is a view showing a reproduction process 
flow in the example 3 of the configuration of the con- 
tent. 

Fig. 67 is a view showing an example of the config- 5 
uration of a content (example 4). 
Fig. 68 is a view showing a reproduction process 
flow in the example 4 of the configuration of the con- 
tent. 

Fig. 69 is a view useful in explaining a process for 10 
generating and storing save data. 
Fig. 70 is a view showing a process flow for an ex- 
ample (example 1) of the process for storing save 
data. 

Fig. 71 is a view showing the configuration of a data 15 
managing file (example 1) used during a process 
for storing and reproducing save data. 
Fig. 72 is a view showing a process flow for an ex- 
ample (example 1) of the process for reproducing 
save data. 20 
Fig. 73 is a view showing a process flow for an ex- 
ample (example 2) of the process for storing save 
data. 

Fig. 74 is a view showing a process flow for an ex- 
ample (example 2) of the process for reproducing 25 
save data. 

Fig. 75 is a view showing a process flow for an ex- 
ample (example 3) of the process for storing save 
data. 

Fig. 76 is a view showing the configuration of a data 30 
managing file (example 2) used during the process 
for storing and reproducing save data. 
Fig. 77 is a view showing a process flow for an ex- 
ample (example 3) of the process for reproducing 
save data. 35 
Fig. 78 is a view showing a process flow for an ex- 
ample (example 4) of the process for storing save 
data. 

Fig. 79 is a view showing a process flow for an ex- 
ample (example 4) of the process for reproducing *o 
save data. 

Fig. 80 is a view showing a process flow for an ex- 
ample (example 5) of the process for storing save 
data. 

Fig. 81 is a view showing the configuration of a data *s 
managing file (example 3) used during the process 
for storing and reproducing save data. 
Fig. 82 is a view showing a process flow for an ex- 
ample (example 5) of the process for reproducing 
save data. so 
Fig. 83 is a view showing a process flow for an ex- 
ample (example 6) of the process for storing save 
data. 

Fig. 84 is a view showing the configuration of a data 
managing file (example 4) used during the process 55 
for storing and reproducing save data. 
Fig. 85 is a view showing a process flow for an ex- 
ample (example 6) of the process for reproducing 



save data. 

Fig. 86 is a view useful in explaining a configuration 
for excluding invalid content users (revocation). 
Fig. 87 is a view showing a flow of a process (ex- 
ample 1) for excluding invalid content users (revo- 
cation). 

Fig. 88 is a view showing a flow of a process (ex- 
ample 2) for excluding invalid content users (revo- 
cation). 

Fig. 89 is a view useful in explaining the configura- 
tion of the security chip (example 1 ). 
Fig. 90 is a view showing a process flow for a meth- 
od for manufacturing a security chip. 
Fig. 91 is a view useful in explaining the configura- 
tion of the security chip (example 2). 
Fig. 92 is a view showing a flow of a process for 
writing data in the security chip (example 2). 
Fig. 93 is a view showing a flow of a process for 
checking written data in the security chip (example 
2). 

Best Mode for Carrying out the Invention 

[0238] The embodiments of the present invention will 
be described below. The description will proceed in the 
order of the following items: 

(1) Configuration of Data Processing apparatus 

(2) Content Data Format 

(3) Outline of Cryptography Processes Applicable 
to Present Data Processing Apparatus 

(4) Configuration of Data Stored in Recording and 
Reproducing Apparatus 

(5) Configuration of Data Stored in Recording De- 
vice 

(6) Mutual Authentication Process between Re- 
cording and Reproducing Device and Recording 
Device 

(6-1 ) Outline of Mutual Authentication Process 
(6-2) Switching to Key Block during Mutual Authen- 
tication 

(7) Process for Downloading from Recording and 
Reproducing Device to Recording Device 

(8) Process Executed by Recording and Reproduc- 
ing Device to Reproduce Information from Record- 
ing Device 

(9) Key Exchanging Process after Mutual Authenti- 
cation 

(10) Plural Content Data Formats and Download 
and Reproduction Processes Corresponding to 
Each Format 

(11) Aspect of Process Executed by Content Pro- 
vider to Generate Check Values (ICV) 

(12) Cryptography Process Key Generating Config- 
uration Based on Master Key 

(13) Controlling Cryptography Intensity in Cryptog- 
raphy Process 

(14) Program Activating Process Based on Activa- 
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tion Priority in Handling Policy in Content Data 

(15) Content Configuration and Reproduction (De- 
compression) Process 

(16) Process for Generating and storing Saved Da- 
ta in Recording Device and Reproducing the Same 
therefrom 

(17) Configuration for Excluding (Revoking) Illegal 
Apparatuses 

(18) Secure Chip Configuration and Manufacturing 
Method therefor 

(1) Configuration of Data Processing Apparatus 

[0239] Fig. 2 shows a block diagram showing the gen- 
eral configuration of one embodiment of a data process- 
ing apparatus according to the present invention. Main 
components of the data processing apparatus are a re- 
cording and reproducing device 300 and a recording de- 
vice 400. 

[0240] The recording and reproducing device 300 
comprises, for example, a personal computer (PC), a 
game apparatus, or the like. The recording and repro- 
ducing device 300 has a control section 301 for carrying 
out unifying control including the control of communica- 
tion between the recording and reproducing device 300 
and the recording device 400 during a cryptography 
process in the recording and reproducing device 300, a 
recording and reproducing device cryptography process 
section 302 responsible for the whole cryptography 
process, a recording device controller 303 for executing 
an authentication process with the recording device 400 
connected to the recording and reproducing device to 
read and write data, a read section 304 for at least read- 
ing data from a medium 500 such as a DVD, and a com- 
munication section 305 for transmitting and receiving 
data to and from the exterior, as shown in Fig. 2. 
[0241] The recording and reproducing device 300 
downloads and reproduces content data to and from the 
recording device 400 controlled by the control section 
301 . The recording device 400 is a storage medium that 
can preferably be installed in and removed from the re- 
cording and reproducing device 300, for example, a 
memory card, and has an external memory 402 com- 
prising a non-volatile memory such as an EEPROM or 
a flash memory, a hard disk, or a RAM with batteries. 
[0242] The recording and reproducing device 300 has 
a read section 304 as an interface to which content data 
stored in the storage medium shown at the left end of 
Fig. 2, that is, a DVD, a CD, an FD, or an HDD can be 
input, and a communication section 305 as an interface 
to which content data distributed from a network such 
as the Internet can be input, in order to receive an input 
of a content from the exterior. 

[0243] The recording and reproducing device 300 has 
a cryptography process section 302 to execute an au- 
thentication process, an encryption and a decryption 
processes, a data verification process, and other proc- 
esses in downloading content data externally input via 



the read section 304 or the communication section 305, 
to the recording device 400 or reproducing and execut- 
ing content data from the recording device 400. The 
cryptography process section 302 comprises a control 

5 section 306 for controlling the entire cryptography proc- 
ess section 302, an internal memory 307 holding infor- 
mation such as keys for the cryptography process and 
which has been processed so as to prevent data from 
being externally read out therefrom easily, and an en- 

10 cryption/decryption section 308 for executing the en- 
cryption and decryption processes, generating and ver- 
ifying authentication data, generating random numbers, 
etc. 

[0244] The control section 301 transmits an initializa- 

15 tion command to the recording device 400 via the re- 
cording device controller 303 when, for example, the re- 
cording device 400 is insiaiied in Lhe recording and re- 
producing device 300, or execute a mediation process 
for various processes such as a mutual authentication 

20 between the encryption/decryption section 308 of the re- 
cording and reproducing device cryptography process 
section 302 and the encryption/decryption section 406 
of the recording device cryptography process section 
401 , a integrity check value collating process, and en- 

25 cryption and decryption processes. Each of these proc- 
esses will be described in detail in the latter part. 
[0245] The cryptography process section 302 exe- 
cutes the authentication process, the encryption and de- 
cryption processes, the data verifying process, and oth- 

30 er processes, as previously described, and has the cryp- 
tography process control section 306, the internal mem- 
ory 307, and the encryption/decryption section 308. 
[0246] The cryptography process control section 306 
executes control of the whole cryptography process 

35 such as the authentication process and the encryption/ 
decryption processes executed by the recording and re- 
producing device 300, for example, processes of setting 
an authentication completion fiag when the authentica- 
tion process executed between the recording and repro- 

40 ducing device 300 and the recording device 400 has 
completed, commanding the execution of various proc- 
esses executed in the encryption/decryption section 
308 of the recording and reproducing section cryptog- 
raphy process section 302, for example, a download 

45 process and a process for generating integrity check 
values for reproduced content data, and commanding 
the execution of a process for generating various key 
data. 

[0247] The internal memory 307 stores key data, 
so identification data, and other data required for various 
processes such as the mutual authentication process, 
the integrity check value collating process, and the en- 
cryption and decryption processes which are executed 
in the recording and reproducing device 300, as de- 
55 scribed later in detail. 

[0248] The encryption/decryption section 308 uses 
key data and the like stored in the internal memory 307 
to execute the authentication process, the encryption 
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and decryption processes, the generation and verifica- 
tion of predetermined integrity check values or electron- 
ic signatures., the verification of data, the generation of 
random numbers, etc. in downloading externally input 
content data to the recording device 400 or reproducing 
and executing content data stored in the recording de- 
vice 400. 

[0249] In this case, the internal memory 307 of the re- 
cording and reproducing device cryptography process 
section 302 holds important information such as cryp- 
tography keys and must thus be configured so as not to 
have its data externally read out easily Thus, the cryp- 
tography process section is configured as a tamper re- 
sistant memory characterized to restrain external invalid 
reads in that it comprises a semiconductor chip that es- 
sentially rejects external accesses and has a multilayer 
structure, an internal memory sandwiched between 
dummy layers of aluminum orthe like or arranged in the 
lowest layer, and a narrow range of operating voltages 
and/or frequencies. This configuration will be described 
later in detail. 

[0250] In addition to these cryptography process func- 
tions, the recording and reproducing device 300 com- 
prises a main Central Processing Unit (CPU) 106, a 
RAM (Random Access Memory) 1 07, a ROM (Read On- 
ly Memory) 108, an AV process section 109, an input 
interface 110, a PIO (Parallel I/O) interface 111, and a 
SIO (Serial I/O) interface 112. 

[0251] The main Central Processing Unit (CPU) 106, 
the RAM (Random Access Memory) 1 07, and the ROM 
(Read Only Memory) 108 are a component functioning 
as a control system for the main body of the recording 
and reproducing device 300, and principally functions 
as a reproduction process section for reproducing data 
decrypted by the recording and reproducing device 
cryptography process section 302. For example, the 
main Central Processing Unit (CPU) 106 executes con- 
trol forthe reproduction and execution of contents, such 
as output of content data read out from the recording 
device and then decrypted, to the AV process section 
1 09 under the control of the control section 301 . 
[0252] The RAM 1 07 is used as a main storage mem- 
ory for various processes executed by the CPU 1 06 and 
as a working area for these processes. The ROM 108 
stores a basic program for starting up an OS or the like 
activated by the CPU 106, and other data. 
[0253] The AV process section 1 09 has a data com- 
pression and decompression process mechanism, spe- 
cifically, an MPEG2 decoder, an ATRAC decoder, an 
MP3 decoder, or the like, to execute processes for data 
outputs to a data output apparatus such as a display or 
speakers (not shown) attached or connected to the re- 
cording and reproducing device main body. 
[0254] The input interface 1 1 0 outputs input data from 
various connected input means such as a controller, a 
keyboard, and a mouse, to the main CPU 1 06. The main 
CPU 1 06 executes a process in accordance with a com- 
mand issued by a user via the controller, based on a 



game program being executed orthe like. 
[0255] The PIO (Parallel I/O) interface 111 and the 
SIO (Serial I/O) interface 112 are used as storage de- 
vices for a memory card or a game cartridge and as a 
5 connection interface to a portable electronic device or 
the like. 

[0256] The main CPU 1 06 also executes control in 
storing as saved data, setting data orthe like for a game 
being executed orthe like. During this process, stored 

10 data are transferred to the control section 301, which 
causes the cryptography process section 302 to exe- 
cute a cryptography process for the saved data as re- 
quired and then stores the encrypted data in the record- 
ing device 400. These cryptography processes will be 

15 described later in detail. 

[0257] The recording device 400 is a storage medium 
that can preferably be installed in and removed from the 
recording and reproducing device 300, and comprises, 
for example, a memory card. The recording device 400 

20 has the cryptography process section 401 and the ex- 
ternal memory 402. 

[0258] The recording device cryptography process 
section 401 executes the mutual authentication proc- 
ess, encryption and decryption processes, data verifi- 
es cation process, and other processes between the re- 
cording and reproducing device 300 and the recording 
device 400 in downloading content data from the record- 
ing and reproducing device 300 or reproducing content 
data from the recording device 400 to the recording and 
30 reproducing device 300, and has a control section, an 
internal memory, an encryption/decryption section, and 
others similarly to the cryptography process section of 
the recording and reproducing device 300. The details 
will be shown in Fig. 3. The external memory 402 com- 
35 prises a non-volatile memory comprising a flash mem- 
ory such as an EEPROM, a hard disk, or a RAM with 
batteries, or the like, to store encrypted content data or 
the like. 

[0259] Fig. 3 is a view schematically showing the con- 

40 figuration of data input from a medium 500 and a com- 
munication means 600 that are data providing means 
from which the data processing apparatus according to 
the present invention receives data, and focusing on the 
configurations of the recording and reproducing device 

45 300 receiving an input of a content from the content pro- 
viding means 500 or 600 and of arrangements for the 
cryptography process in the recording device 400. 
[0260] The medium 500 is, for example, an optical 
disk medium, a magnetic disk medium, a magnetic tape 

50 medi urn, a semiconductor medium, or the like. The com- 
munication means 600 is capable of data communica- 
tion such as Internet, cable, or satellite communication. 
[0261] In Fig. 3, the recording and reproducing device 
300 verifies data input by the medium 500 or the com- 

55 munication means 600, that is, a content meeting a pre- 
determined format as shown in Fig. 3, and stored the 
verified content in the recording device 400. 
[0262] As shown in the sections of the medium 500 
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and communication means 600 in Fig. 3, the content da- 
ta has the following components: 

Content ID: content ID as an identifier for content 
data. 

Usage policy: a usage policy containing constituent 
information of content data, for example, the sizes 
of a header section and a content section constitut- 
ing the content data, a format version, a content 
type indicating whether the content is a program or 
data, a localization field indicating whether the con- 
tent can be used only in an apparatus that has 
downloaded the content or also in other apparatus- 
es. 

Block information table: block information table 
comprising the number of content blocks, a block 
size, an encryption flag indicating the presence of 
encryption, and others. 

Key data: key data comprising an encryption key for 
encrypting the above described block information 
table, a content key for encrypting a content block, 
or the like. 

Content bloc: content block comprising program da- 
ta, music or image data, or other data to be actually 
reproduced. 

[0263] The content data will be explained later in fur- 
ther detail with reference to Fig. 4 and subsequent fig- 
ures. 

[0264] The content data are encrypted by the content 
key (hereafter referred to as the "Knon") and then pro- 
vided to the recording and reproducing device 300 from 
the medium 500 or the communication means 600. The 
content can be stored in the external memory of the re- 
cording device 400 via the recording and reproducing 
device 300. 

[0265] For example, the recording device 400 uses a 
key (hereafter referred to as a "storage key" (Kstr)) 
unique thereto stored in the internal memory 405 thereof 
to encrypt the content contained in the content data, the 
block information table contained in the content data as 
header information, information on various keys such as 
the content key Kcon before storing these data in the 
external memory 402. To download the content data 
from the recording and reproducing device 300 to the 
recording device 400 or allow the recording and repro- 
ducing device 300 to reproduce the content data stored 
in the recording device 400, predetermined procedures 
such as a mutual authentication process between the 
apparatuses and content data encrypting and decrypt- 
ing processes are required. These processes will be ex- 
plained later in detail. 

[0266] The recording device 400 has the cryptogra- 
phy process section 401 and the external memory 402, 
and the cryptography process section 401 has a control 
section 403, a communication section 404, the internal 
memory 405, an encryption/decryption section 406, and 
an external memory control section 407. 



[0267] The recording device 40.0 is responsible for 
the whole cryptography process, controls the external 
memory 402, and comprises the recording device cryp- 
tography process section 401 for interpreting a com- 
5 mand from the recording and reproducing device 300 
and executing a process, and the external memory 402 
holding contents or the like. 

[0268] The recording device cryptography process 
section 401 has the control section 403 for controlling 

10 the entire recording device cryptography process sec- 
tion 401 , the communication section 404 for transmitting 
and receiving data to and from the recording and repro- 
ducing device 300, the internal memory 405 holding in- 
formation such as keys for the cryptography process 

15 and which has been processed so as to prevent data 
from being externally read out therefrom easily, the en- 
cryption/decryption section 406 for executing the en- 
cryption and decryption processes, generating and ver- 
ifying authentication data, generating random numbers, 

20 etc, and the external memory control section 407 for 
reading and writing data from and to the external mem- 
ory 402. 

[0269] The control section 403 executes control of the 
whole cryptography process such as the authentication 

25 process and the encryption/decryption processes exe- 
cuted by the recording device 400, for example, proc- 
esses of setting an authentication, completion flag when 
the authentication process executed between the re- 
cording and reproducing device 300 and the recording 

30 device 400 has completed, commanding the execution 
of various processes executed in the encryption/decryp- 
tion section 406 of the cryptography process section 
401 , for example, a download process and a process 
for generating integrity check values for reproduced 

35 content data, and commanding the execution of a proc- 
ess for generating various key data. 
[0270] The internal memory 405 comprises a memory 
having a plurality of blocks to store a plurality of sets of 
key data, identification data, or other data which are re- 

40 quired for various processes such as the mutual authen- 
tication process, integrity check value collating process, 
and encryption and decryption process which are exe- 
cuted by the recording device 400, as described later in 
detail. 

45 [0271] The internal memory 405 of the recording de- 
vice cryptography process section 401, like the internal 
memory 307 of the recording and reproducing device 
cryptography process section 302 previously described, 
holds important information such as cryptography keys 

so and must thus be configured so as not to have its data 
externally read out easily. Thus, the cryptography proc- 
ess section 401 of the recording and reproducing device 
400 is characterized to restrain external invalid reads in 
that it comprises a semiconductor chip that essentially 

55 rejects external accesses and has a multilayer structure, 
an internal memory sandwiched between dummy layers 
of aluminum or the like or arranged in the lowest layer, 
and a narrow range of operating voltages and/or fre- 
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quencies. in this regard, the recording and reproducing 
device cryptography process section 302 may be soft- 
ware configured so as to prevent secret information for 
keys from leaking easily to the exterior. 
[0272] The encryption/decryption section 406 uses 
key data or the like stored in the internal memory 405 to 
execute the data verifying process, the encryption and 
decryption processes, the generation and verification of 
predetermined integrity check values or electronic sig- 
natures, the generation of random numbers, etc. in 
downloading content data from the recording and repro- 
ducing device 300, reproducing content data stored in 
the external memory 402 of the recording device 400, 
or executing mutual authentication between the record- 
ing and reproducing device 300 and the recording de- 
vice 400. 

[0273] The communication section 404 is connected 
to the recording device controlled 303 of the recording 
and reproducing device 300 to download or reproduce 
content data or communicate transfer data between the 
recording and reproducing device 300 and the recording 
device 400 during the mutual authentication process ac- 
cording to the control of the control section 301 of the 
recording and reproducing device 300, or the control of 
the control section 403 of the recording device 400. 

(2) Content Data Format 

[0274] Next, by using Fig. 4 to Fig. 6, the data format 
of data stored in the medium 500 of the system accord- 
ing to the present invention or communicated on the da- 
ta communication means 600 will be explained. 
[0275] The configuration shown in Fig. 4 shows the 
format of the entire content data, the configuration 
shown in Fig. 5 shows details of the "usage policy 1 ' partly 
constituting the header section of the content data, and 
the configuration shown in Fig. 6 shows details of the 
"block information table" partly constituting the header 
section of the content. 

[0276] A representative example of the data format 
applied to the system according to the present invention 
will be explained, but different types of data formats 
such as formats corresponding to game programs and 
formats suitable for real-time processing of music data 
or the like can be used for the present system. The as- 
pects of these formats will be described later in further 
detail, in "(10) Plural Content Data Formats and Down- 
load and Reproduction Processes Corresponding to 
Each Format". 

[0277] In the data format shown in Fig. 4, items shown 
in gray indicate encrypted data, items enclosed by dou- 
ble frames indicate tamper check data, and the other 
items shown in white indicate plain text data that are not 
encrypted. Encryption keys of the encryption section are 
shown on the left of the frames. In the example shown 
in Fig. 4, some of the blocks (content block data) of the 
content section contain encrypted data, while the others 
contain non-encrypted data. This form varies depending 



on the content data : and all the content block data con- 
tained in the data may be encrypted. 
[0278] As shown in Fig. 4, the data format is divided 
into the header section and the content section, and the 
5 header section comprises a content ID, a usage policy, 
an integrity check value A (hereafter referred to as "IC- 
Va"), a block information table key (hereafter referred to 
as "Kbit"), a content key Kcon, a block information table 
(hereafter referred to as "BIT"), an integrity check value 
B (ICVb), and a total integrity check value (ICVt), and 
the content section comprises a plurality of content 
blocks (for example, encrypted and non-encrypted con- 
tents). 

[0279] In this case, the individual information indi- 
cates a content ID for identifying a content. The usage 
policy comprises a header length indicating the size of 
the header section, a content length indicating the size 
of the content section, a format version indicating ver- 
sion information for the format, a format type indicating 
the type of the format, a content type i ndicating the type 
of the content, that is, whether it is a program or data, 
an operation priority indicating a priority for activation if 
the content type is a program, a localization field indi- 
cating whether the content downloaded in accordance 
with this format can be used only in an apparatus that 
has downloaded the content or also in other similar ap- 
paratuses, a copy permission indicating whether the 
content downloaded in accordance with this format can 
be copied from the apparatus that has downloaded the 
contentto another similar apparatus, a move permission 
indicating whether the content downloaded in accord- 
ance with this format can be moved from the apparatus 
that has downloaded the content to another similar ap- 
paratus, an encryption algorithm indicating an algorithm 
used to encrypt content blocks in the content section, 
an encryption mode indicating a method for operating 
the algorithm used to encrypt the content in the content 
section, and an integrity check method indicating a 
method for generating integrity check values, as shown 
in detail in Fig. 5. 

[0280] The above described data items recorded in 
the usage policy are only exemplary and various usage 
policy information can be recorded depending on the as- 
pect of corresponding content data. The identifier as de- 
scribed later in detail in s for example, "(1 7) Configuration 
for Excluding (Revoking) Illegal Apparatuses". It is also 
possible to make a configuration so as to exclude the 
use of content caused by the illegal apparatus by re- 
cording the content of an illegal recording and reproduc- 
ing apparatus as data and by checking the time of start- 
ing the use. 

[0281 ] The integrity check value A ICVa is used to ver- 
ify that the content ID or the usage policy has not been 
tampered. It functions as a check value for partial data 
instead of the entire content data, that is, as a partial 
integrity check value. The data block information table 
key Kbit is used to encrypt a block information table, and 
the content key Kcon is used to encrypt content blocks. 
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The block information table key Kbit and the content key 
Kcon are encrypted with a distribution key (hereafter re- 
ferred to as "Kdis") on the medium 500 and the commu- 
nication means 600. 

[0282] Fig. 6 shows the block information table in de- 
tail. The block information table in Fig. 6 comprises data 
all encrypted with the block information table key Kbit 
as seen in Fig. 4. The block information table comprises 
a block number indicating the number of content blocks 
and information on N content blocks, as shown in Fig. 
6. The content block information table comprises a block 
length, an encryption flag indicating whether or not the 
block ash been encrypted, an ICV flag indicating wheth- 
er or not integrity check values must be calculated, and 
a content integrity check value (ICVi). 
[0283] The content integrity check value is used to 
verify that each content block has not been tampered. 
A specific example of a method for generating a content 
integrity check value will be explained later in "(1 0) Plu- 
ral Content Data Formats and Download and Reproduc- 
tion Processes Corresponding to Each Format". The 
block information table key Kbit used to encrypt the 
block information table is further encrypted with the dis- 
tribution key Kdis. 

[0284] The data format in Fig. 4 will be continuously 
described. The integrity check value B ICVb is used to 
verify that the block information table key Kbit, the con- 
tent key Kcon, and the block information table have not 
been tampered. It functions as a check value for partial 
data instead of the entire content data, that is, as a par- 
tial integrity check value. The total integrity check value 
ICVt is used to verify the integrity check values ICVa and 
ICVb, integrity check values ICVi for each content block 
(if this has been set), partial integrity check values there- 
of, orallthedatato be checked have not been tampered. 
[0285] In Fig. 6, the block length, the encryption flag, 
and the ICV flag can be arbitrarily set, but certain rules 
may be established. For example, encrypted- and plain- 
text areas may be repeated over a fixed length, all the 
content data may be encrypted, or the block information 
table BIT may be compressed. Additionally, to allow dif- 
ferent content keys Kcon to be used for different content 
blocks, the content key Kcon may be contained in the 
content block instead of the header section. Examples 
of the content data format will be described in further 
detail in "(10) Plural Content Data Formats and Down- 
load and Reproduction Processes Corresponding to 
Each Format". 

(3) Outline of Cryptography Processes Applicable to 
Present Data Processing Apparatus 

[0286] Next, the aspects of various cryptography 
processes applicable to the data processing apparatus 
according to the present invention will be explained. The 
description of the cryptography processes shown in "(3) 
Outline of Cryptography Processes Applicable to 
Present Data Processing Apparatus" correspond to an 



outline of the aspect of a cryptography process on which 
are based various processes executed by the present 
data processing apparatus which will be specifically de- 
scribed later, for example, "a. authentication process 

5 between recording and reproducing device and record- 
ing device", "b. download process for device for loading 
contents", and "c. process for reproducing content 
stored in recording device". Specific processes execut- 
ed by the recording and reproducing device 300 and the 

10 recording device 400 will be each described in detail in 
the item (4) and subsequent items. 
[0287] An outline of the cryptography process appli- 
cable to the data processing apparatus will be described 
in the following order: 

75 

(3-1) Message Authentication Based on Common 



(3-2) Electronic Signature Based on Public Key 
Cryptosystem 

(3-3) Verification of Electronic Signature Based on 
Public Key Cryptosystem 

(3-4) Mutual Authentication Based on Common Key 

Cryptosystem 

(3-5) Public Key Certificate 

(3-6) Mutual Authentication Based on Public Key 
Cryptosystem 

(3-7) Encryption Process Using Ecliptic Curve 
Cryptography 

(3-8) Decryption Process Using Ecliptic Curve 
Cryptography 

(3-9) Random Number Generating Process 
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(3-1) Message Authentication Based on Common Key 
Cryptosystem 



[0288] First, a process for generating tamper detect- 
ing data using a common key cryptography method will 
be explained. The tamper detecting data are added to 
data to be detected for tamper in order to check for 
40 tamper and authenticate a creator. 

[0289] For example, the integrity check values A and 
B and total integrity check value in the data structure 
described in Fig. 4 which are enclosed by double 
frames, the content check value stored in each block in 
45 the block information table shown in Fig. 6, and the like 
are generated as the tamper detecting data. 
[0290] Here, the use of the DES, which is a common 
key cryptosystem, will be explained as an example of a 
method for generating and processing electronic signa- 
ge ture data. In addition to the DES, the present invention 
may use, for example, the FEAL (Fast Encipherment Al- 
gorithm or the AES (Advance Encryption Standard) (U. 
S. next-term standard cryptography) as a similar proc- 
ess based on a common key cryptosystem. 
55 [0291] A method for generating an electronic signa- 
ture using a general DES will be explained with refer- 
ence to Fig. 7. First, before generating an electronic sig- 
nature, a message to which the electronic signature is 



31 



BNSDCCID: <EP 1195734A1J_> 



61 



EP1 195 734 A1 



62 



to be added is divided into sets of 8 bytes (the pieces of 
the divided message are hereafter referred to as "M1, 
M2, ... , MN"). An initial value (hereafter referred to as 
"IV") and the M1 are exclusive-ORed (the result is re- 
ferred to as "11"). Next, the 11 is input to a DES encrypt- 
ing section, which encrypts it using a key (hereafter re- 
ferred to as U K1 ") (the output is referred to as "E1 "). Sub- 
sequently, the E1 and the M2 are exclusive-ORed, and 
the output 12 is input to the DES encrypting section, 
which encrypts it using the key K1 (the output is referred 
to as "E2"). This process is repeated to encrypt all the 
messages obtained by means of the division. The final 
output EN is an electronic signature. This value is gen- 
erally called a "MAC (Message Authentication Code)" 
used to check a message for tamper. In addition, such 
a system for chaining encrypted texts is called a "CBC 
(Cipher Block Chaining) mode". 

[0292] The MAC value output in the example of gen- 
eration shown in Fig. 7 can be used as the integrity 
check value A or B or total integrity check value in the 
data structure shown in Fig. 4 which is enclosed by dou- 
ble frames and the content check value ICV1 to ICVN 
stored in each block in the block information table shown 
in Fig. 6. In verifying the MAC value, a verifier generates 
it using a method similar to that used to originally gen- 
erate it, and the verification is determined to be success- 
ful if the same value is obtained. 

[0293] Moreover, in the example shown in Fig. 7, the 
initial value IV is exclusive-ORed with the first 8-byte 
message M1 , but the initial value IV may be zero and 
not exclusive-ORed. 

[0294] Fig. 8 shows the configuration of a method for 
generating the MAC value which has improved security 
compared to the MAC value generating method shown 
in Fig. 7. Fig. 8 shows an example where instead of the 
Single DES in Fig. 7, the Triple DES is used to generate 
the MAC value. 

[0295] Figs. 9A and 9B show an example of a detailed 
configuration of each of the Triple DES component 
shown in Fig. 8. There are two different aspects of the 
configuration of the Triple DES as shown in Fig. 9. Fig. 
9(a) shows an example using two cryptography keys 
where processing is carried out in the order of an en- 
cryption process with a key 1 , a decryption process with 
a key 2, and an encryption process with the key 1 . The 
two types of keys are used in the order of K1 , K2, and 
K1. Fig. 9(b) shows an example using three cryptogra- 
phy keys where processing is carried out in the order of 
an encryption process with the key 1, an encryption 
process with the key 2, and an encryption process with 
a key 3*. The three types of keys are used in the order 
of K1 , K2, and K3. The plurality of processes arc thus 
continuously executed to improve security intensity 
compared to the Single DES. The Tripled DES configu- 
ration, however, has the disadvantage of requiring an 
amount of processing time three times as large as that 
for the Single DES. 

[0296] Fig. 1 0 shows an example of a MAC value gen- 



erating configuration obtained by improving the Triple 
DES configuration described in Figs. 8 and 9. In Fig. 1 0, 
the encryption process for each of the messages from 
beginning to end of a message string to which a signa- 
5 ture is to be added is based on the Single DES, while 
only the encryption process for the last message is 
based on the Triple DES configuration shown in Fig. 9 
(a). 

[0297] The configuration shown in Fig . 1 0 reduces the 
10 time required to generate the MAC value for the mes- 
sage down to a value almost equal to the time required 
for the MAC value generating process based on the Sin- 
gle DES, with security improved compared to the MAC 
value based on the Single DES. Moreover, the Triple 
15 DES configuration for the last message may be as 
shown in Fig. 9(b). 

(3-2) Electronic Signature Based on Public Key 
Cryptosystem 

20 

[0298] The method for generating electronic signa- 
ture data if the common key encryption system is used 
as the encryption system has been described, but a 
method for generating electronic signature data if a 

25 common key cryptosystem is used as the encryption 
system will be described with reference to Fig. 11. The 
process shown in Fig. 11 corresponds to a process flow 
of generation of electronic signature data using the El- 
liptic Curve Digital Signature Algorithm (EC-DSA), IEEE 

30 P1363/D3. An example using the Elliptic Curve Cryp- 
tography (hereafter referred as "ECC") as public key 
cryptography will be explained. In addition to the elliptic 
curve cryptography, the data processing apparatus ac- 
cording to the present invention may use, for example, 

35 the RSA (Rivest, Shamir, Adleman; ANSI X9.31) cryp- 
tography, which is a similar public cryptosystem. 
[0299] Each step in Fig. 11 will be described. At step 
S1 , the following definitions are set: reference symbol p 
denotes a characteristic, a and b denote coefficients of 

40 an elliptic curve (elliptic curve: y 2 = x 3 + ax + b), G de- 
notes a base point on the elliptic curve, r denotes the 
digit of the G, and Ks denotes a secret key (0 < Ks < r). 
At step S2, a hash value for the message M is calculated 
to obtain f = Hash(M). 

45 [0300] Then, a method for determining a hash value 
using a hash function will be explained. The hash func- 
tion receives a message as an input, compresses it into 
data of a predetermined bit length, and outputs the com- 
pressed data as a hash value. The hash value is char- 
so acterized in that it is difficult to predict an input from a 
hash value (output), in that when one bit of data input 
to the hash function changes, many bits of the hash val- 
ue change, and in that it is difficult to find different input 
data with the same hash value. The hash function may 

55 be MD4, MD5, or SHA-1, or DES-CBC similar to that 
described in Fig. 7 or other figures. In this case, the MAC 
(corresponding to the integrity check value ICV), which 
is the final output value, is the hash value. 
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[0301] Subsequently, at step S3, a random number u 
(0 < u < r) is generated, and at step S4, the base point 
is multiplied by u to obtain coordinates V (Xv, Yv). An 
addition and a multiplication by two on the elliptic curve 
are defined as follows: 

If P=(Xa, Ya),Q=(Xb ) Yb),R=(Xc, YC)=P+Q. 
When P*Q (addition), 

Xc=)i 2 -Xa-Xb 
Yc=Xx(Xa-Xc)-Ya 
A,=(Yb-Ya)/(Xb-Xa) 
When P=Q (multiplication by two), 

Xc=X 2 -2Xa 
Yc=Xx(Xa-Xc)-Ya 

X=(3(Xa) 2 +a)/(2Ya) (1) 

[0302] These are used to multiply the point G by u (al- 
though the calculation speed is low, the most easy-to- 
understand calculation method is shown below. G, 2xG, 
4xG. ... is calculated : the u is binary-expanded, and cor- 
responding 2* x G (value obtained by multiplying G by 
2 i times) is added to bits of 1 (i denotes a bit position 
as counted from an LSB). 

[0303] At step S5, c=Xvmod r is calculated, and at 
step S6. is determined whether the result is zero. If the 
result is not zero, then at step S7, d=[(f4-cKs)/u]mod r is 
calculated, and at step S8, it is determined whether d is 
zero. If the d is not zero, then at step S9, the c and d are 
output as electronic signature data. When r is assumed 
to denote the length of 160 bits, the electronic signature 
data have a length of 320 bits. 

[0304] If the c is 0 at step S6, the process returns to 
step S3 to regenerate a new random number. Similarly, 
if the d is 0 at step S8, the process also returns to step 
S3 to regenerate a new random number. 

(3-3) Verification of Electronic Signature Based on 
Public Kay Cryptosystem 

[0305] Next, a method for verifying an electronic sig- 
nature using the public key cryptosystem will be de- 
scribed with reference to Fig. 12. At step S11 , the fol- 
lowing definitions are set: reference symbol M denotes 
a message, reference symbol p denotes a characteris- 
tic, reference symbols a and b denote elliptic curve co- 
efficients (elliptic curve: y 2 = x 3 + ax + b), reference sym- 
bol G denotes a base point on the elliptic curve, refer- 
ence symbol r denotes the digit of G , and reference sym- 



bols G and Ks x G denote public keys (0 < Ks <r). At 
step S12, it is verified that the electronic signature data 
c and d meet 0 < c < r and 0 < d < r. If the data meet 
these conditions, then at step S13, a hash value for the 

5 message M is calculated to obtain f = Hash (M). Next, 
at step S1 4, h = 1/d mod r is calculated, and at step S1 5, 
M = fh mod r and h2 = ch mod r are calculated. 
[0306] At step S16, the already calculated hi and h2 
are used to calculate P = (Xp, Yp) = hi x G + h2 ♦ Ks x 

10 G. An electronic-signature verifier knows the public keys 
G and Ks x G and can thus calculate a scalar multipli- 
cation of a point on the elliptic curve similarly as step S4 
in Fig. 11. Then, at step S17, it is determined whether 
the P is a point at infinity, and if not, the process pro- 

15 ceeds to step S18 (the determination of whether the P 
is a point at infinity can actually be made at step S16. 
Th a t ; Sj W hen P = (X, Y) and Q = (X, -Y) are added to- 
gether, the X cannot be calculated, indicating that P + Q 
is a point at infinity). At step S1 8, Xp mod r is calculated 

20 and compared with the electronic signature data c. Fi- 
nally, if these values are equal, the process proceeds to 
step S19 to determine that the electronic signature is 
correct. 

[0307] If it is determined that the electronic signature 
25 is correct, the data have not been tampered and that a 
person holding the secret key corresponding to the pub- 
lic keys has generated the electronic signature. 
[0308] If the signature data c or d do not meet 0 < c < 
r or 0 < d < r at step S1 2, the process proceeds to step 
30 S20. Additionally, if the P is a point at infinity at step S1 7, 
the process also proceeds to step S20. Further, if the 
value of Xp mod r does not equal the signature data c 
at step S18, the process proceeds to step S20. 
[0309] If it is determined at step S20 that the signature 
35 to be incorrect, this indicates that the received data have 
been tampered or have not been generated by the per- 
son holding the secret key corresponding to the public 
keys. 

40 (3-4) Mutual Authentication Based on Common Key 
Cryptosystem 

[0310] Next, a mutual authentication method using a 
common key cryptosystem will be explained with refer- 

45 ence to Fig. 13. In this figure, the common key crypto- 
system is the DES, but any common key cryptosystem 
similar to that previously described may be used. In Fig. 
13, B first generates a 64-bit random number Rb and 
transmits the Rb and its own ID ID(b) to A. On receiving 

50 the data, the A generates a new 64-bit random number 
Ra, encrypts the data in the DES CBC mode in the order 
of the Ra, Rb, and ID(b) using a key Kab, and returns 
them to the B. According to the DES CBC mode process 
configuration shown in Fig. 7, the Ra, Rb, and ID(b) cor- 

55 respond to M1, M2, and M3 : and outputs E1 , E2, and 
E3 are encrypted texts when an initial value. IV = 0. 
[0311] On receiving the data, the B decrypts the re- 
ceived data with the key Kab. To decrypt the received 
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data, the encrypted test E1 is first decrypted with the 
key Kabto obtain the random number Ra. Then, the en- 
crypted test E2 is decrypted with the key Kab, and the 
result and the E1 are exclusive-ORed to obtain the Rb. 
Finally, the encrypted test E3 is decrypted with the key 5 
Kab, and the result and the E2 are exclusive-ORed to 
obtain the ID(b). Of the Ra, Rb, and ID(b) thus obtained, 
the Rb and ID(b) are checked for equality to those trans- 
mitted by the B. If they are successfully verified, the B 
authenticates the A. 

[031 2] Then, the B generates a session key (hereafter 
referred to as "Kses") used after the authentication (this 
is generated using a random number). The Rb, Ra, and 
Kses are encrypted in the DES CBC mode in this order 
using the key Kab and then returned to the A. 
[0313] On receiving the data, the A decrypts the re- 
ceived data with the key Kab. The method for decrypting 
the received data is similar to that executed by the B, so 
detailed description thereof is omitted. Of the Rb, Ra, 
and Kses thus obtained, the Rb and Ra are checked for 
equality to those transmitted by the A. if they are suc- 
cessfully verified, the A authenticates the B. After the A 
and B have authenticated each other, the session key 
Kses is used as a common key for secret communica- 
tion after the authentication. 

[0314] If illegality or inequality is found during the ver- 
ification of the received data, the mutual authentication 
is considered to have failed and the process is aborted. 

(3-5) Public Key Certificate 

[031 5] Next, the public key certificate will be explained 
with reference to Fig. 14. The public key certificate is 
issued by a Certificate Authority (CA) for the public key 
cryptosystem. When a user submits his or her own ID, 
a public key, and others to the certificate authority, it 
adds information such as its own ID and valid term to 
the data submitted by the user and further adds its sig- 
nature thereto to generate a public key certificate. 
[031 6] The public key certificate shown in Fig. 1 4 con- 
tains the version number of the certificate, the sequen- 
tial number of the certificate allotted to the certificate us- 
er by the certificate authority, an algorithm and param- 
eters used for the electronic signature, the name of the 
certificate authority, the valid term of the certificate, the 
name (user ID) of the certificate user, and the public key 
and electronic signature of the certificate user. 
[0317] The electronic signature is data generated by 
applying the hash function to the entirety of the version 
number of the certificate, the sequential number of the 
certificate allotted to the certificate user by the certificate 
authority, the algorithm and parameter used for the elec- 
tronic signature, the name of the certificate authority, the 
valid term of the certificate, the name of the certificate 
user, and the public key of the certificate user, to gen- 
erate a hash value, and then using the secret key of the 
certificate authority for this value. For example, the proc- 
ess flow described in Fig. 1 1 is applied to the generation 
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of the electronic signature. 

[0318] The certificate authority issues the public key 
certificate shown in Fig. 14, updates a public key certif- 
icate for which the valid term has expired, and creates, 
manages, and distributes an illegal user list to exclude 
users who has committed an injustice (this is called "rev- 
ocation"). It also generates public and secret keys as 
required. 

[0319] On the other hand, to use this public key cer- 
tificate, the user uses the public key of the certificate 
authority held by itself to verify the electronic signature 
on the public key certificate, and after the electronic sig- 
nature has been successfully verified, it takes the public 
key out from the public key certificate and uses it. Thus, 
all users who use the public key certificate must hold a 
common public key of the certificate authority. The 
method for verifying the electronic authority has been 
described in Fig. 12, so detailed description thereof is 
omitted. 

(3-6) Mutual Authentication Based on Public Key 
Cryptosystem 

[0320] Next, a method for mutual authentication using 
a 160-bit elliptic curve cryptography, which is a public 
key cryptography, will be described with reference to 
Fig. 15. In this figure, the public key cryptosystem is the 
ECC, but any similar public key cryptosystem may be 
used as previously described. In addition, the key size 
is not limited to 1 60 bits. In Fig. 15, the B first generates 
and transmits the 64-bit random number Rb to the A. 
On receiving the data, the A generates a new 64-bit ran- 
dom number Ra and a random number Ak smaller than 
the characteristic p. It then multiplies a base point G by 
Akto determine a point Av = Ak x G, generates an elec- 
tronic signature A. Sig for the Ra, Rb, and Av (X and Y 
coordinates), and returns these data to the B together 
with the A's public key certificate. In this case, since the 
Ra and Rb each contain 64 bits and the X and Y coor- 
dinates of the Av each contain 160 bits, the electronic 
signature is forthe total of 448 bits. The method for gen- 
erating the electronic signature has been described in 
Fig. 11, so detailed description thereof is omitted. The 
public key certificate has also been explained in Fig. 14, 
so detailed description thereof is omitted. 
[0321] On receiving the A's public key certificate, Ra, 
Rb, Av, and electronic signature A. Sig, the B verifies 
that the Rb transmitted by the A matches that generated 
by the B. If they are determined to match, the B verifies 
the electronic signature in the A's public key certificate 
using the public key of the certificate authority, and takes 
out the A's public key. The verification of the public key 
certificate has been explained with reference to Fig. 14, 
so detailed description thereof is omitted. The B then 
uses the A's public key obtained to verify the electronic 
signature A. Sig. The method for verifying the electronic 
signature has been explained in Fig. 1 2, so detailed de- 
scription thereof is omitted. Once the electronic signa- 
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ture has been successfully verified, the B authenticates 
the A. 

[0322] Next, the B generates a new random number 
Bk smaller than the characteristic p. It then multiplies 
the base point G by Bk to determine a point Bv = Bk x 
G : generates an electronic signature B. Sig for the Rb, 
Ra, and Bv (X and Y coordinates), and returns these 
data to the A together with the B's public key certificate. 
[0323] On receiving the B's public key certificate, Rb, 
Ra, Av, and electronic signature B. Sig, the A verifies 
that the Ra transmitted by the B matches that generated 
by the A. If they are determined to match, the A verifies 
the electronic signature in the B's public key certificate 
using the public key of the certificate authority, and takes 
out the B's public key. The A then uses the B's public 
key obtained to verify the electronic signature B. Sig. 
Once the eiecironic signature has been successfully 
verified, the A authenticates the B. 
[0324] If both the A and B have successfully authen- 
ticated each other, the B calculates Bk x Av (since the 
Bk is a random number but the Av is a point on the el liptic 
curve, the point on the elliptic curve must be subjected 
to scalar multiplication), and the A calculates Ak x Bv 
so that lower 64 bits of each of the X coordinates of these 
points are used as the session key for subsequent com- 
munication (if the common key cryptography uses a 
64-bit key length). Of course, the session key may be 
generated from the Y coordinates, or the lower 64 bits 
may not be used. In secret communication after the mu- 
tual authentication, not only transmitted data are en- 
crypted with the session key but an electronic signature 
may be added thereto. 

[0325] If illegality or inequality is found during the ver- 
ification of the electronic signature or received data, the 
mutual authentication is considered to have failed and 
the process is aborted. 

(3-7) Encryption Process Using Elliptic Curve 
Cryptography 

[0326] Next, encryption using elliptic curve cryptogra- 
phy will be explained with reference to Fig. 16. At step 
S21 , the following definitions are set: reference symbols 
Mx and My denote messages, reference symbol p de- 
notes a characteristic, reference symbols a and b de- 
note elliptic curve coefficients (elliptic curve: y 2 = x 3 + 
ax + b), reference symbol G denotes a base point on 
the elliptic curve, reference symbol r denotes the digit 
of G, and reference symbols G and Ks x G denote pub- 
lic keys (0 < Ks <r). At step S22, the random number u 
is generated so that 0 < u < r. At step S23, coordinates 
V are calculated by multiplying the public key Ks x G 
by the u. The scalar multiplication on the elliptic curve 
has been explained at step S4 in Fig. 1 1 , and description 
thereof is thus omitted. At step S24, the X coordinate of 
the V is multiplied by the Mx and then divided by the p 
to determine a remainder X0. At step S25, the Y coor- 
dinate of the V is multiplied by the My and then divided 
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by the p to determine a remainder Y0. If the length of 
the message is smaller than the number of the bits, the 
My comprises a random number, and the decryption 
section discards it. At step S26, u x G is calculated and 
5 at step S27, an encrypted text u x G, (X0, Y0) is ob- 
tained. 

(3-8) Decryption Process Using Elliptic Curve 
Cryptography 

10 

[0327] Next, decryption using the elliptic curve cryp- 
tograhy will be described with reference to Fig. 17. At 
step S31 , the following definitions are set: reference 
symbols u x G and (X0, Y0) denote encrypted text data, 

15 reference symbol p denotes a characteristic, reference 
symbols a and b denote elliptic curve coefficients (ellip- 
tic curve: y 2 = x 3 + ax + b) : reference symbol G denotes 
a base point on the elliptic curve, reference symbol r de- 
notes the digit of G, and reference symbol Ks denotes 

20 a secret key (0 < Ks <r). At step S32, the encrypted data 
u x G are multiplied by a value corresponding to the 
secret key Ks to determine coordinates V (Xv, Yv). At 
step S33, the X coordinate of (X0, Y0) is taken out from 
the encrypted data and X1 = X0 / Xv mod p is calculated. 

25 At step S34, the Y coordinate is taken out and Y1 = Y0 
/ Yv mod p is calculated. At step S35, X1 is determined 
to be Mx and Y1 is determined to be My to obtain a mes- 
sage. At this point, if the My is not usedforthe message, 
Y1 is discarded. 

30 [0328] In this manner, when the secret key is Ks, the 
public key is G, and Ks x G is calculated, the key used 
for encryption and the key used for decryption may be 
different. 

[0329] Another known example of the public key cryp- 
35 tography is the RSA, but detailed description thereof is 
omitted (details thereof are described in PKCS #1 Ver- 
sion 2). 

(3-9) Random Number Generating Process 

40 

[0330] Next, a method for generating a random 
number will be explained. Known random-number gen- 
erating methods include an intrinsic random-number 
generating method that amplifies thermal noise to gen- 

45 erate a random number from the resulting A/D output 
and a pseudo random-number generating method that 
combines together a plurality of linear circuits such as 
M sequences. A method is also known which uses com- 
mon key cryptography such as the DES. In this example, 

50 the pseudo random-number generating method using 
the DES will be described (ANSI X9.17 base). 
[0331] First, the value of 64 bits (for a smaller number 
of bits, higher bits are set to 0) obtained from data such 
as time is defined as D . key information used for the Tri- 

55 ple-DES is defined as Kr, and a seed for generating a 
random number is defined as S. Then, the random 
number R is calculated as follows: 
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l=Triple-DES(Kr, D) (2-1) 



l=Triple-DES(Kr, S 9 I) (2-2) 



l=Triple-DES(Kr, R*I) (2-3) 

[0332] In this case, Triple-DES() is a function that us- 
es a first argument as cryptography key information and 
that encrypts the value of a second argument based on 
the Triple-DES. The operation * is an exclusive OR ex- 
ecuted every 64 bits. The last value S is updated as a 
new seed. 

[0333] If random numbers are continuously generat- 
ed, Equations (2-2) and (2-3) are repeated. 
[0334] The aspects of various cryptography process- 
es applicable to the data processing apparatus accord- 
ing to the present invention have been described. Next, 
specific processes executed in the present data 
processing apparatus will be described in detail. 

(4) Configuration of Data Stored in Recording and 
Reproducing Device 

[0335] Fig. 18 is a view useful in explaining the con- 
tents of data held in the internal memory 307 configured 
in the recording and reproducing device cryptography 
process section 302 of the recording and reproducing 
device 300 shown in Fig. 3. 

[0336] As shown in Fig. 18, the internal memory 307 
stores the following keys and data: 

MKake: recording device authenticating master key 
for generating an authentication and key exchange 
key (hereafter referred to as "Kake") required for a 
mutual authentication process executed between 
the recording and reproducing device 300 and re- 
cording device 400 (see Fig. 3). 
IVake: initial value for the recording device authen- 
ticating key. 

MKdis: master key for a distribution key for gener- 
ating a distribution key Kdis. 
IVdis: distribution-key-generating initial value. 
Kicva: integrity-check-value-A-generating key for 
generating the integrity check value ICVa. 
Kicvb: integrity-check-value-B-generating key for 
generating the integrity check value ICVb. 
Kicvc: content-integrity-check-value-generating 
key for generating the integrity check value ICVi (i=1 
to N) for each content block. 

Kicvt: total-integrity check value-generating key for 
generating the total integrity check value ICVt. 
Ksys: system signature key used to add a common 
signature or ICV to a distribution system. 
Kdev: recording and reproducing device signature 



key that varies depending on recording and repro- 
ducing device and that is used by the recording and 
reproducing device to add a signature or ICV. 
IVmem: initial value that is used for a cryptography 
5 process for mutual authentication, or the like. This 
is shared by the recording device. 

[0337] These keys and data are stored in the internal 
memory 307 configured in the recording and reproduc- 
to ing device cryptography process section 302. 

(5) Configuration of Data Stored in Recording Device 

[0338] Fig. 1 9 is a view showing how data are held on 
15 the recording device. In this figure, the internal memory 
405 is divided into a plurality of (in this example, N) 
blocks each storing the following keys and data: 

IDmen: recording device identification information 
20 that is unique to the recording device. 

Kake: authentication key that is used for mutual au- 
thentication with the recording and reproducing de- 
vice 300. 

IVmem: initial value that is used for a cryptography 
25 process for mutual authentication, or the like. 

Kstr: storage key that is a cryptography key for the 
block information table and other content data. 
Kr: random number generating key. 
S: seed. 

30 

[0339] These data are each held in the corresponding 
block. An external memory 402 holds a plurality of (in 
this example s M) content data; it holds the data de- 
scribed in Fig. 4 as shown, for example, in Fig. 26 or 27. 
35 The difference in configuration between Figs. 26 and 27 
will be described later. 

(6) Mutual Authentication Process between recording 
and reproducing device and recording device 

40 

(6-1) Outline of Mutual Authentication Process 

[0340] Fig. 20 is a flow chart showing a procedure for 
an authentication between the recording and reproduc- 

45 ing device 300 and the recording device 400. At step 
S41 s the user inserted the recording device 400 into the 
recording and reproducing device 300. If : however, the 
recording device 400 is capable of communication in a 
non-contact manner, it need not be inserted thereinto. 

so [0341 ] When the recording device 400 is set in the re- 
cording and reproducing device 300, a recording device 
detecting means (not shown) in the recording and re- 
producing device 300 shown in Fig. 3 notifies the control 
section 301 that the recording device 400 has been in- 

55 stalled. Then at step S42, the control section 301 of the 
recording and reproducing device 300 transmits an ini- 
tialization command to the recording device 400 via the 
recording device controller 303. On receiving the com- 
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mand, the recording device 400 causes the control sec- 
tion 403 of the recording device cryptography process 
section 401 to receive the command via the communi- 
cation section 404 and clear an authentication comple- 
tion flag if it has been set. That is, unauthenticated state 
is set. 

[0342] Then at step S43, the control section 301 of 
the recording and reproducing device 300 transmits an 
initialization command to the recording and reproducing 
device cryptography process section 302. At this point, 
it also transmits a recording device insertion port 
number. When the recording device insertion port 
number is transmitted, even if a plurality of recording 
devices 400 are connected to the recording and repro- 
ducing device 300, the recording and reproducing de- 
vice 300 can simultaneously execute authentication 
with these recording devices 400 and transmit and re- 
ceive data thereto and therefrom. 
[0343] On receiving the initialization command, the 
recording and' reproducing device cryptography proc- 
ess section 302 of the recording and reproducing device 
300 causes the control section 306 thereof to clear the 
authentication complete flag corresponding to the re- 
cording device insertion port number if it has been set. 
That is, the unauthenticated state is set. 
[0344] Then at step S44, the control section 301 of 
the recording and reproducing device 300 specifies a 
key block number used by the recording device cryptog- 
raphy process section 401 of the recording device 400. 
Details of the key block number will be described later. 
At step S45, the control section 301 of the recording and 
reproducing device 300 reads out the recording device 
identification information IDmem stored in the specified 
key block in the internal memory 405 of the recording 
device 400. At step S46, the control section 301 of the 
recording and reproducing device 300 transmits the re- 
cording device identification information IDmem to the 
recording and reproducing device cryptography process 
section 302 to generate the authentication key Kake 
based on the recording device identification information 
IDmem. The authentication key Kake is generated, for 
example, as follows: 

Kake=DES (MKake, IDmem^lVake) (3) 

[0345] In this case, the MKake denotes the master 
key for the recording device authentication key used to 
generate the authentication key Kake required for the 
mutual authentication process executed between the 
recording and reproducing device 300 and the recording 
device 400 (see Fig. 3), the master key being, stored in 
the internal memory 307 of the recording and reproduc- 
ing device 300 as described above. Additionally, the ID- 
mem denotes the recording device identification infor- 
mation unique to the recording device 400. Further- 
more, the IVake denotes the initial key for the recording 



device authentication key. In addition, in the above 
equation, the DES() denotes a function that uses a first 
argument as cryptography key and that encrypts the val- 
ue of a second argument based on the DES. The 
5 operation 0 denotes an exclusive OR executed every 64 
bits. 

[0346] If, for example, the DES configuration shown 
in Fig. 7 or 8 is applied, the message M shown in Figs. 
7 and 8 corresponds to the recording device identifica- 

10 tion information: IDmem, the key K1 corresponds to the 
master key for the device authentication key: MKake, 
the initial value IV corresponds to the value: IVake : and 
the output obtained is the authentication key Kake. 
[0347] Then at step S47, the mutual authentication 

is process and the process for generating the session key 
Kses are carried out. The mutual authentication is exe- 
cuted between the encrypt! on/decrypt ion section 308 of 
the recording and reproducing device cryptography 
process section 302 and the 

20 encryption/decryption section 406 of the recording de- 
vice cryptography process section 401 ; the control sec- 
tion 301 of the recording and reproducing device 300 
mediates therebetween. 

[0348] The mutual authentication process can be ex- 
25 ecuted as previously described in Fig. 1 3. In the config- 
uration shown in Fig. 1 3, the A and B correspond to the 
recording and reproducing device 300 and the recording 
device 400, respectively. First, the recording and repro- 
ducing device cryptography process section 302 of the 
30 recording and reproducing device 300 generates the 
random number Rb and transmits the Rb and the re- 
cording and reproducing device identification informa- 
tion IDdey which is its own ID, to the recording device 
cryptography process section 401 of the recording de- 
35 vice 400. The recording and reproducing device identi- 
fication information IDdev is an identifier unique to a re- 
producing device stored in a memory section configured 
in the recording and reproducing device 300. The re- 
cording and reproducing device identification informa- 
nt? tion IDdev may be recorded in the internal memory of 
the recording and reproducing device cryptography 
process section 302. 

[0349] On receiving the radom number Rb and the re- 
cording and reproducing device identification informa- 

45 tion IDdev, the recording device cryptography process 
section 401 of the recording device 400 generates a new 
64-bit random number Ra, encrypts the data in the DES 
CBC mode in the order of the Ra, Rb, and recording and 
reproducing device identification information IDdev us- 

50 ing the authentication key Kake, and returns them to the 
recording and reproducing device cryptography process 
section 302 of the recording and reproducing device 
300. For example, according to the DES CBC mode 
process configuration shown in Fig. 7, the Ra, Rb, and 

55 IDdev correspond to the M1 , M2, and M3, respectively, 
and when the initial value : IV=IVmem, the outputs E1 , 
E2, and E3 are encrypted texts. 

[0350] On receiving the encrypted texts E1, E2, and 
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E3, the recording and reproducing device cryptography 
process section 302 of the recording and reproducing 
device 300 decrypts the received data with the authen- 
tication key Kake. To decrypt the received data, the en- 
crypted text E1 is first decrypted with the key Kake and 5 
the result and the IVmem are exclusive-ORed to obtain 
the random number Ra. Then, the encrypted text E2 is 
decrypted with the key Kake, and the result and the E1 
are exclusive-ORed to obtain the Rb. Finally, the en- 
crypted text E3 is decrypted with the key Kake, and the 10 
result and the E2 are exclusive-ORed to obtain the re- 
cording and reproducing device identification informa- 
tion IDdev. Of the Ra, Rb, and recording and reproduc- 
ing device identification information IDdev thus ob- 
tained, the Rb and recording and reproducing device is 
identification information IDdev are checked for equality 
to those transmitted by the recording and reproducing 
device 300. If they are successfully verified, the record- 
ing and reproducing device cryptography process sec- 
tion 302 of the recording and reproducing device 300 20 
authenticates the recording device 400. 
[0351] Then, the recording and reproducing device 
cryptography process section 302 of the recording and 
reproducing device 300 generates a session key (here- 
after referred to as "Kses") used after the authentication 25 
(this is generated using a random number). The Rb, Ra, 
and Kses are encrypted in the DES CBC mode in this 
order using the key Kake and the initial value IVmem 
and then returned to the recording device cryptography 
process section 401 of the recording device 400. 30 
[0352] On receiving the data, the recording device 
cryptography process section 401 of the recording de- 
vice 400 decrypts the received data with the key Kake. 
The method for decrypting the received data is similar 
to that executed by the recording and reproducing de- 35 
vice cryptography process section 302 of the recording 
and reproducing device 300, so detailed description 
thereof is omitted. Of the Ra, Rb, and Kses thus ob- 
tained, the Rb and Ra are checked for equality to those 
transmitted by the recording device 400. If they are sue- *o 
cessfully verified, the recording device cryptography 
process section 401 of the recording device 400 authen- 
ticates the recording and reproducing device 300. After 
these devices have authenticated each other, the ses- 
sion key Kses is used as a common key for secret com- *s 
munication after the authentication. 
[0353] If illegality or inequality is found during the ver- 
ification of the received data, the mutual authentication 
is considered to have failed and the process is aborted. 
[0354] If the mutual authentication has been success- so 
ful, the process proceeds from step S48 to step S49 
where the recording and reproducing device cryptogra- 
phy process section 302 of the recording and reproduc- 
ing device 300 holds the session key Kses and where 
the authentication complete flag is set, indicating that 55 
the mutual authentication has been completed. Addi- 
tionally, if the mutual authentication has failed, the proc- 
ess proceeds to step S50, the session key Kses is dis- 
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carded and the authentication complete flag is cleared. 
If the flag has already been cleared, the clearing process 
is not necessarily required. 

[0355] If the recording device 400 is removed from the 
recording device insertion port, the recording device de- 
tecting means in the recording and reproducing device 
300 notifies the control section 301 of the recording and 
reproducing device 300 that the recording device 400 
has been removed. In response to this, the control sec- 
tion 301 of the recording and reproducing device 300 
commands the recording and reproducing device cryp- 
tography process section 302 of the recording and re- 
producing device 300 to clear the authentication com- 
plete flag corresponding to the recording device inser- 
tion port number. In response to this, the recording and 
reproducing device cryptography process section 302 
of the recording and reproducing device 300 clears the 
authentication complete flag corresponding to the re- 
cording device insertion port number. 
[0356] The example has been described where the 
mutual authentication process is executed in accord- 
ance with the procedure shown in Fig. 13, but the 
present invention is not limited to the above described 
example of authentication process but the process may 
be executed, for example, in accordance with the above 
described mutual authentication procedure in Fig. 15. 
Alternatively, in the procedure shown in Fig. 13, the A 
in Fig. 13 may be set as the recording and reproducing 
device 300, the B may be set as the recording device 
400, and the ID that the B: recording device 400 first 
delivers to the A: recording and reproducing device 300 
may be set as the recording device identification infor- 
mation in the key block in the recording device. Various 
processes are applicable to the authentication process 
procedure executed in the present invention, and the 
present invention is not limited to the above described 
authentication process. 

(6-2) Switching Key Block during Mutual. Authentication 

[0357] The mutual authentication process in the data 
processing apparatus according to the present inven- 
tion is partly characterized in that the authentication 
process is executed by configuring a plurality of (for ex- 
ample, N) key blocks on the recording device 400 side 
and allowing the recording and reproducing device 300 
to specify one of them (step S44 in the process flow in 
Fig. 20). As previously described in Fig. 19, the internal 
memory 405 configured in the cryptography process 
section 401 of the recording device 400 has a plurality 
of key blocks formed therein which store various differ- 
ent data such as key data and ID information. The mu- 
tual authentication process executed between the re- 
cording and reproducing device 300 and the recording 
device 400 as described in Fig. 20 is carried out on one 
of the plurality of key blocks of the recording device 400 
in Fig. 19. 

[0358] Conventional configurations for executing a 
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mutual authentication process between a recording me- 
dium and a reproducing device therefor generally use a 
common authentication key for the mutual authentica- 
tion. Thus, when the authentication key is to be changed 
for each product destination (country) or each product, 5 
key data required for authentication processes for the 
recording and reproducing device side and the record- 
ing device side must be changed on both devices. Ac- 
cordingly, key data required for an authentication proc- 
ess stored in a newly sold recording and reproducing 10 
device do not correspond to key data required for an 
authentication process stored in a previously sold re- 
cording and reproducing device, so the new recording 
and reproducing device cannot access an old version of 
recording device. On contrary, a similar situation occurs *5 
in the relationship between a new version of recording 
device and the old version of recording and reproducing 
device. 

[0359] In the data processing apparatus according to 
the present invention, key blocks are stored in the re- 20 
cording device 400 as a plurality of different key sets as 
shown in Fig. 19. The recording and reproducing device 
has a key block to be applied to the authentication proc- 
ess, that is, a specified key block set, for example, for 
each product destination (country), product, device 25 
type, version, or application. This set information is 
stored in the memory section of the recording and re- 
producing device, for example, the internal memory 307 
in Fig. 3 or other storage elements of the recording and 
reproducing device 300, and is accessed by the control 30 
section 301 in Fig. 3 during the authentication process 
to specify a key block in accordance therewith. 
[0360] The master key Mkake forthe recording device 
authentication key in the internal memory 307 of the re- 
cording and reproducing device 300 is set in accordance 35 
with settings for a specified key block and can corre- 
spond only to that specified key block; it does not estab- 
lish mutual authentication with any key blocks otherthan 
the specified one. 

[0361] As is seen in Fig. 19 : the internal memory 405 *o 
of the recording device 400 has N key blocks (1 to N) 
set which each store recording device identification in- 
formation, an authentication key, an initial value, a stor- 
age key, a random-number generating key, and a seed; 
each key block stores at least authenticating key data 45 
as data varying depending on the block. 
[0362] In this manner, the key data configuration of 
the key block in the recording device 400 varies depend- 
ing on the block. Thus, for example, a key block with 
which a certain recording and reproducing device A can so 
execute the authentication process using the master 
key MKake for the recording device authentication key 
stored in the internal memory can be set as a key block 
No. 1, and a key block with which a recording and re- 
producing device B with a different specification can ex- 55 
ecute the authentication process can be set as another 
key block, for example, a key block No. 2. 
[0363] Although described later in detail, when a con- 



tent is stored in the external memory 402 of the record- 
ing device 400, the storage key Kstr stored in each key 
block is used to encrypt and store the co ntent. More spe- 
cifically, the storage key is used to encrypt a content key 
for encrypting a content block. 

[0364] As shown in Fig. 1 9, the storage key is config- 
ured as a key that varies depending on the block. Thus, 
a content stored in a memory of a recording device is 
prevented from being shared by two different recording 
and reproducing devices set to specify different key 
blocks. That is, differently set recording and reproducing 
devices can each use only the contents stored in a re- 
cording device that is compatible with its settings. 
[0365] Data that can be made common to each key 
block can be made so, while, for example, only the au- 
thenticating key data and the storage key data may vary 
depending on the key block. 

[0366] In a specific example where key blocks com- 
prising a plurality of different key data are configured in 
the recording device, for example, different key block 
numbers to be specified are set for different types of re- 
cording and reproducing device 300 (an installed type, 
a portable type, and the like), or different specified key 
blocks are set for different applications. Furthermore, 
different key blocks may be set for different territories; 
for example, the key block No. 1 is specified for record- 
ing and reproducing devices sold in Japan, and the key 
block No. 2 is specified for recording and reproducing 
devices sold in the U.S. With such a configuration, a 
content that is used in different territories and that is 
stored in each recording device with a different storage 
key cannot be used in a recording and reproducing de- 
vice with different key settings even if a recording device 
such as a memory card is transferred from the U.S. to 
Japan or vice versa, thereby preventing the illegal or dis- 
orderly distribution of the content stored in the memory. 
Specifically, this serves to exclude a state where a con- 
tent key Kcon encrypted-with different storage keys Kstr 
can be mutually used in two different countries. 
[0367] Moreover, at least one of the key blocks 1 to N 
in the internal memory 405 of the recording device 400 
shown in Fig. 1 9, for example, the No. N key block may 
be shared by any recording and reproducing device 300. 
[0368] For example, when the key block No. N and 
the master key MKake forthe recording device authen- 
tication key, which is capable of authentication, are 
stored in all apparatuses, contents can be distributed 
irrespective of the type of the recording and reproducing 
device 300, the type of the application, or the destined 
country. For example, an encrypted content stored in a 
memory card with the storage key stored in the key block 
No. N can be used in any apparatuses. For example, 
music data or the like can be decrypted and reproduced 
from a memory card by encrypting the data with the stor- 
age key in a shared key block, storing them in the mem- 
ory card, and setting the memory card in, for example, 
a portable sound reproducing device storing the master 
key MKake for the recording device authentication key, 
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which is also shared. 
[0369] Fig. 21 shows an example of the usage of the 
recording device of the present data processing appa- 
ratus, which has a plurality of key blocks. A recording 
and reproducing device 2101 is a product sold in Japan 
and has a master key that establishes an authentication 
process with the key blocks No. 1 and No. 4 in the re- 
cording device. A recording and reproducing device 
2102 is a product sold in the U.S. and has a master key 
that establishes an authentication process with the key 
blocks No. 2 and No. 4 in the recording device. A re- 
cording and reproducing device 2103 is a product sold 
in the EU and has a master key that establishes an. au- 
thentication process with the key blocks No. 3 and No. 
4 in the recording device. 

[0370] For example, the recording and reproducing 
device 2101 establishes authentication with the key 
block 1 or 4 in the recording device A 21 04 to store, in 
the external memory, contents encrypted via the storage 
key stored in that key block. The recording and repro- 
ducing device 2102 establishes authentication with the 
key block 2 or 4 in the recording device B 21 05 to store, 
in the external memory, contents encrypted via the stor- 
age key stored in that key block. The recording and re- 
producing device 2103 establishes authentication with 
the key block 3 or 4 in the recording device C 2106 to 
store, in the external memory, contents encrypted via 
the storage key stored in that key block. Then, if the re- 
cording device A 2104 is installed in the recording and 
reproducing device 2102 or 2103, a content encrypted 
with the storage key in the key block 1 is unavailable 
because authentication is not established between the 
recording and reproducing device 21 02 or 21 03 and the 
key block 1 . On the other hand, a content encrypted with 
the storage key in the key block 4 is available because 
authentication is established between the recording and 
reproducing device 2102 or 2103 and the key block 4. 
[0371] As described above, in the data processing ap- 
paratus according to the present invention, the key 
blocks comprising the plurality of different key sets are 
configured in the recording device, while the recording 
and reproducing device stores the master key enabling 
authentication for a particular key block, thereby ena- 
bling the setting of restrictions on the use of contents 
depending on different use form. 

[0372] Moreover, a plurality of key blocks, for exam- 
ple, 1 to k may be specified in one recording and repro- 
ducing device, while a plurality of key blocks p and q 
may be specified in the other recording and reproducing 
devices. Additionally, a plurality of sharable key blocks 
may be provided. 

(7) Process for Downloading from Recording and 
Reproducing Device to Recording Device 

[0373] Next, a process for downloading a content 
from the recording and reproducing device 300 to the 
external memory of the recording device 400 in the 



present data processing apparatus will be explained. 
[0374] Fig. 22 is a flow chart useful in explaining a pro- 
cedure for downloading a content from the recording 
and reproducing device 300 to the recording device 400. 
5 In this figure, the above described mutual authentication 
process is assumed to have been completed between 
the recording and reproducing device 300 and the re- 
cording device 400. 

[0375] At step S51 , the control section 301 of the re- 

10 cording and reproducing device 300 uses the read sec- 
tion 304 to read data of a predetermined format out from 
the medium 500 storing contents or uses the communi- 
cation section 305 to receive data from the communica- 
tion means 600 in accordance with a predetermined for- 

*5 mat. Then, the control section 301 of the recording and 
reproducing device 300 transmits the header section 
(see Fig. 4) of the data to the recording and reproducing 
device cryptography process section 302 of the record- 
ing and reproducing device 300. 

20 [0376] Next, at step S52, the control section 306 of 
the recording and reproducing device cryptography 
process section 302, which has received the header at 
step S51 , causes the encryption/decryption section 308 
of the recording and reproducing device cryptography 

25 process section 302 to calculate the integrity check val- 
ue A. The integrity check value A is calculated in accord- 
ance with the ICV calculation method described in Fig. 
7, using as a key the i n teg rity -check-va I ue-A-gene rating 
key Kicva stored in the internal memory 307 of the re- 

30 cording and reproducing device cryptography process 
section 302 and using the content ID and the usage pol- 
icy as a message, as shown in Fig. 23. The initial value 
may be IV = 0 or may be the integrity-check-value-A- 
generating initial value IVa may be used which is stored 

35 in the internal memory 307 of the recording and repro- 
ducing device cryptography process section 302. Final- 
ly, the integrity check value A and the check value: ICVa 
stored in the header are compared together, and if they 
are equal, the process proceeds to step S53. 

40 [0377] As previously described in Fig. 4, the check 
value A, ICVa is used to verify that the content ID and 
the usage policy have not been tampered. If the integrity 
check value A calculated in accordance with the ICV cal- 
culation method described in Fig. 7, using as a key the 

45 jntegrity-check-value-A-generating key Kicva stored in 
the internal memory 307 of the recording and reproduc- 
ing device cryptography process section 302 and using 
the content ID and the usage policy as a message, 
equals the check value: ICVa stored in the header, it is 

so determined that the content ID and the usage policy 
have not been tampered. 

[0378] Next, at step S53, the control section 306 of 
the recording and reproducing device cryptography 
process section 302 causes the encryption/decryption 
55 section 308 of the recording and reproducing device 
cryptography process section 302 to generate the dis- 
tribution key Kdis. The distribution key Kdis is generat- 
ed, for example, as follows: 
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Kdis=DES (MKdis, ContentlD 9 IVdis) (4) 

[0379] In this case, the MKdis denotes the master key 
for the distribution key for generating the distribution key 
Kdis, the master key being stored in the internal memory 
of the recording and reproducing device 300 as de- 
scribed above. In addition, the content ID is identification 
information for the header section of content data, and 
the IVdis denotes the initial value for the distribution key. 
Additionally, in the above equation, the DES() denotes 
a function that uses a first argument as cryptography 
key and that encrypts the value of a second argument. 
The operation $ denotes an exclusive OR executed eve- 
ry 64 bits. 

[0380] At step S54, the control section 306 of the re- 
cording and reproducing device cryptography process 
section 302 uses the encryption/decryption section 308 
of the recording and reproducing device cryptography 
process section 302 as well as the distribution key Kdis 
generated at step S53, to decrypt the block information 
table key Kbit and content key Knon (see Fig. 4) stored 
in the header section of the data obtained from the me- 
dium 500 via the read section 304 or received from the 
communication means 600 via the communication 
section 305. As shown in Fig. 4, the block information 
table key Kbit and the content key Knon are encrypted 
beforehand with the distribution key Kdis on the medium 
such as a DVD or CD or on a communication path such 
as the Internet. 

[0381 ] Further, at step S55, the control section 306 of 
the recording and reproducing device cryptography 
process section 302 uses the encryption/decryption 
section 308 of the recording and reproducing device 
cryptography process section 302 to decrypt the block 
information table (BIT) with the block information table 
key Kbit decrypted at step S54. The block information 
table (BIT) as shown in Fig. 4 is encrypted beforehand 
with the block information table key Kbit on the medium 
such as the DVD or CD or the communication path such 
as the Internet. 

[0382] Further, at step S56, the control section 306 of 
the recording and reproducing device cryptography 
process section 302 divides the block information table 
key Kbit, the content key Kcon, and the block informa- 
tion table (BIT) into 8-byte pieces, which are all exclu- 
sive-ORed (any operation such as an addition or sub- 
traction may be used). Next, the control section 306 of 
the recording and reproducing device cryptography 
process section 302 causes the encryption/decryption 
section 308 of the recording and reproducing device 
cryptography process section 302 to calculate the integ- 
rity check value B (ICVb). The integrity check value B is 
generated by using as a key the i ntegrity -check- value- 
B-generating key Kicvb stored in the internal memory 
307 of the recording and reproducing device cryptogra- 
phy process section 302, to decrypt the previously cal- 



culated exclusive-ORed value based on the DES, as 
shown in Fig. 24. Finally, the integrity check value B and 
the ICVb in the header are compared together, and if 
they are equal, the process proceeds to step S57. 

5 [0383] As previously described in Fig. 4, the check 
value B, ICVb is used to verify that the block information 
table key Kbit, the content key Kcon, and the block in- 
formation table (BIT) have not been tampered. If the in- 
tegrity check value B generated by using as a key the 

io integrity-check-vaiue-B-generating key Kicvb stored in 
the internal memory 307 of the recording and reproduc- 
ing device cryptography process section 302, dividing 
the block information table key Kbit, the content key 
Kcon, and the block information table (BIT) into 8-byte 

*5 pieces, exclusive-Oring these data, and encrypting the 
exclusive-ORed data based on the DES, equals the 
check value! ICVb stored in the header, it is determined 
that the block information table key Kbit, the content key 
Kcon, and the block information table have not been 

20 tampered. 

[0384] At step S57, the control section 306 of the re- 
cording and reproducing device cryptography process 
section 302 causes the encryption/decryption section 
308 of the recording and reproducing device cryptogra- 
ms phy process section 302 to calculate an intermediate in- 
tegrity check value. The intermediate value is calculated 
in accordance with the ICV calculation method de- 
scribed in Fig. 7, using as a key the total-integrity -check- 
value generating key Kicvt stored in the internal memory 

30 307 of the recording and reproducing device cryptogra- 
phy process section 302 and using the integrity check 
values A and B and all the held content integrity check 
values as a message. The initial value may be IV=0 or 
the total-integrity-check-value-generating initial value 

35 ivt may be used which is stored in the internal memory 
307 of the recording and reproducing device cryptogra- 
phy process section 302. Additionally, the intermediate 
integrity check value generated is stored in the record- 
ing and reproducing device cryptography process sec- 

40 tion 302 of the recording and reproducing device 300 as 
required. 

[0385] This intermediate integrity check value is gen- 
erated using the integrity check values A and B and all 
the content integrity check values as a message, and 
data verified by each of these integrity check values may 
be verified by collating them with the intermediate integ- 
rity check value. In this embodiment, however, a plurality 
of different integrity check values, that is, total integrity 
check values ICVt and the check value ICVdev unique 

so to the recording and reproducing device 300 can be sep- 
arately generated based on the intermediate integrity 
check value so that the process for verifying the ab- 
sence of tamper which process is executed for shared 
data for the entire system and the verification process 

55 for identifying occupied data occupied only by each re- 
cording and reproducing device 300 after the download 
process can be distinguishably executed. These integ- 
rity check values will be described later. 
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[0386] The control section 306 of the recording and 
reproducing device cryptography process section 302 
causes the encryption/decryption section 308 of the re- 
cording and reproducing device cryptography process 
section 302 to calculate the total integrity check value 5 
ICVt. The total integrity check value ICVt is generated 
by using as a key a system signature key Ksys stored 
in the internal memory 307 of the recording and repro- 
ducing device cryptography process section 302, to de- 
crypt the intermediate integrity check value based on the 
DES. Finally, the total integrity check value ICVt gener- 
ated and the ICVt in the header stored at step S51 are 
compared together, and if they are equal, the process 
proceeds to step S58. The system signature key Ksys 
is common to a plurality of recording and reproducing 
devices, that is, the entire system executing the process 
of recording and reproducing certain data. 
[0387] As previously described in Fig. 4, the total in- 
tegrity check value ICVt is used to verify that all of the 
integrity check values ICVa and ICVb and the integrity 
check value for each content block have not been tam- 
pered. Thus, if the total integrity check value generated 
by means of the above described process equals the 
integrity check value: ICVt, stored in the Header it is de- 
termined that all of the integrity check values ICVa and 
ICVb and the integrity check value for each content 
block have not been tampered. 

[0388] Then at step S58, the control section 301 of 
the recording and reproducing device 300 takes content 
block information out from the block'information table 
(BIT) and checks whether any content block is to be ver- 
ified. If any content block is to be verified, the content 
integrity check value has been stored in the block infor- 
mation in the header. 

[0389] If any content block is to be verified, the control 
section 301 reads this content block out from the medi- 
um 500 by using the read section 304 of the recording 
and reproducing device 300 or received from communi- 
cating means 600 by using the communication section 
305 of the recording and reproducing device 300, and 
transmits the content block to the recording and repro- 
ducing device cryptography process section 302 of the 
recording and reproducing device 300. On receiving the 
content block, the control section 306 of the recording 
and reproducing device cryptography process section 
302 causes the encryption/decryption section 308 of the 
recording and reproducing device cryptography process 
section 302 to calculate the content intermediate value. 
[0390] The content intermediate value is generated 
by using the content key Kcon decrypted at step S54 to 
decrypt an input content block in the DES CBC mode, 
separating the resulting data into 8-byte pieces, and ex- 
clusive-ORing all these pieces (any operation such as 
an addition or subtraction may be used). 
[0391] Then, the control section 306 of the recording 
and reproducing device cryptography process section 
302 causes the encryption/decryption section 308 of the 
recording and reproducing device cryptography process 



section 302 to calculate the content integrity check val- 
ue. The content integrity check value is generated by 
using as a key the content- integrity -check- value-gener- 
ating key Kicvc stored in the internal memory 307 of the 
recording and reproducing device cryptography process 
section 302, to decrypt the content intermediate value 
based on the DES. Then, the control section 306 of the 
recording and reproducing device cryptography process 
section 302 compares this content integrity check value 
with the ICV in the content block received from the con- 
trol section 301 of the recording and reproducing device 
300 at step S51, and passes the result to the control 
section 301 of the recording and reproducing device 
300. On receiving the result and if the verification has 
been successful, the control section 301 of the recording 
and reproducing device 300 takes out the next content 
block to be verified and causes the recording and repro- 
ducing device cryptography process section 302 of the 
recording and reproducing device 300 to verify this con- 
tent block. Similar verification processes are repeated 
until all the content blocks are verified. The initial value 
may be IV=0 or the content-integrity-check-value-gen- 
erating initial value IVc may be used which is stored in 
the internal memory 307 of the recording and reproduc- 
ing device cryptography process section 302, if the 
header generating side uses the same settings. Addi- 
tionally, all the checked content integrity check values 
are held in the recording and reproducing device cryp- 
tography process section 302 of the recording and re- 
producing device 300. Furthermore, the recording and 
reproducing device cryptography process section 302 
of the recording and reproducing device 300 monitors 
the order in which the content blocks are verified to con- 
sider the authentication to have failed if the order is in- 
correct or if it is caused to verify the same content block 
twice or more. If all the content blocks have been suc- 
cessfully verified, the process proceeds to step S59. 
[0392] Then at step S59, the recording and reproduc- 
ing device cryptography process section 302 of the re- 
cording and reproducing device 300 causes the encryp- 
tion/decryption section 308 of the recording and repro- 
ducing device cryptography process section 302 to en- 
crypt the block information table key Kbit and content 
key Kcon decrypted at step S54, using the session key 
Kses made sharable during the mutual authentication. 
The control section 301 of the recording and reproduc- 
ing device 300 reads the block information table key Kbit 
and content key Kcon from the recording and reproduc- 
ing device cryptography process section 302 of the re- 
cording and reproducing device 300, the block informa- 
tion table key Kbit and content key Kcon being decrypt- 
ed using the session key Kses. The control section 301 
then transmits these data to the recording device 400 
via the recording device controller 303 of the recording 
and reproducing device 300. 

[0393] Then at step S60, on receiving the block infor- 
mation table key Kbit and content key Kcon transmitted 
from the recording and reproducing device 300, the re- 
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cording device 400 causes the encryption/decryption 
section 406 of the recording device cryptography proc- 
ess section 401 to decrypt the received data using the 
session key Kses made sharable during the mutual au- 
thentication and to reencrypt the decrypted data with the 5 
storage key Kstr unique to the recording device which 
is stored in the internal memory 405 of the recording de- 
vice cryptography process 401 . Finally, the control sec- 
tion 301 of the recording and reproducing device 300 
reads the block information key Kbit and the content key 10 
Kcon out from the recording device 400 via the recording 
device controller 303 of the recording and reproducing 
device 300, the block information key Kbit and the con- 
tent key Kcon being reencrypted with the storage key 
Kstr. These are then substituted with the block informa- 15 
tion key Kbit and content key Kcon encrypted with the 

rJiotv-iKi iti/\n Wt-tir* 
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[0394] At step S61 , the control section 301 of the re- 
cording and reproducing device 300 takes the localiza- 
tion field out from the usage policy in the header section 20 
of the data to determine whether the downloaded con- 
tent can be used only in this recording and reproducing 
device 300 (in this case, the localization field is set to 1) 
or also by other similar recording and reproducing de- 
vices 300 (in this case, the localization field is set to 0). 25 
If the result of the determination shows that the locali- 
zation field is set to 1 , the process proceeds to step S62. 
[0395] At step S62, the control section 301 of the re- 
cording and reproducing device 300 causes the record- 
ing and reproducing device cryptography process sec- 30 
tion 302 of the recording and reproducing device 300 to 
calculate the integrity check value unique to the record- 
ing and reproducing device. The integrity check value 
unique to the recording and reproducing device is gen- 
erated by using as a key a recording and reproducing 35 
device signature key Kdev stored in the internal memory 
307 of the recording and reproducing device cryptogra- 
phy process section 302, to decrypt the intermediate in- 
tegrity check value based on the DES, the intermediate 
integrity check value being held at step S58. The calcu- *o 
lated integrity check value ICVdev unique to the record- 
ing and reproducing device substitutes for the total in- 
tegrity check value ICVt. 

[0396] As previously described, the system signature 
key Ksys is used to add a common signature or ICV to 45 
the distribution system, and the recording and reproduc- 
ing device signature key Kdev varies depending on the 
recording and reproducing device and is used by the re- 
cording and reproducing device to add a signature or 
ICV. That is, data signed with the system signature key so 
Ksys are successfully checked by a system (recording 
and reproducing device) having the same system sig- 
nature key, that is, such data have the same total integ- <; 
rity check value ICVt so as to be sharable. If, however, 
data are signed with the recording and reproducing de- 55 
vice signature key Kdev, since this signature key is 
unique to the recording and reproducing device, the da- 
ta signed with the recording and reproducing device sig- 
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nature key Kdev, that is, the data stored in a recording 
device after the signing cannot be reproduced if an at- 
tempt is made to reproduce them after this recording de- 
vice has been inserted in another recording and repro- 
ducing device; that is, an error occurs due to the unequal 
integrity check values ICVdev unique to the recording 
and reproducing device. 

[0397] Thus, in the data processing apparatus ac- 
cording to the present invention, the setting of the local- 
ization field enables contents to be arbitrarily set so as 
to be shared throughout the entire system or used only 
by particular recording and reproducing devices. 
[0398] At step S63, the control section 301 of the re- 
cording and reproducing device 300 stores the content 
in the external memory 402 of the recording device 400. 
[0399] Fig. 26 is a view showing how the content is 
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W-W.WW W . WWW.W...W WW.. WW w • U ..<- M .W.. ..W.W -W 

set to 0. Fig. 27 is a view showing how the content is 
stored in the recording device if the localization field is 
set to 1 . Only the difference between Figs. 26 and 4 is 
whether the content block information key Kbit and the 
content key Kcon are encrypted with the distribution key 
Kdis or the storage key Kstr. The different between Figs. 
27 and 26 is that the integrity check value calculated 
from the intermediate integrity check value is encrypted 
with the system signature key Ksys in Fig. 26, whereas 
it is encrypted with the recording and reproducing device 
signature key Kdev unique to the recording and repro- 
ducing device in Fig. 27. 

[0400] In the process flow in Fig. 22, if the verification 
of the integrity check value A has failed at step S52, if 
the verification of the integrity check value B has failed 
at step S56, if the verification of the total integrity check 
value ICVt has failed at step S57, or if the verification of 
the content block content integrity check value has failed 
at step S58, then the process proceeds to step S64 to 
provide a predetermined error display 
[0401] In addition, if the localization field is 0 at step 
S6 1 . the process skips step S62 to advance to step S63. 

(8) Process Executed by Recording and Reproducing 
Device to Reproduce Information Stored in Recording 
Device 

[0402] Next, a process executed by the recording and 
reproducing device 300 to reproduce content informa- 
tion stored in the external memory 402 of the recording 
device 400. 

[0403] Fig. 28 is aflow chart useful in explaining a pro- 
cedure executed by the recording and reproducing de- 
vice 300 to read a content out from the recording device 
400 and use it. In Fig. 28, the mutual authentication is 
assumed to have been completed between the record- 
ing and reproducing device 300 and the recording de- 
vice 400. 

[0404] At step S71 , the control section 301 of the re- 
cording and reproducing device 300 uses the recording 
device controller 303 to read the content out from the 
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external memory 402 of the recording device 400. The 
control section 301 of the recording and reproducing de- 
vice 300 then transmits the header section of the data 
to the recording and reproducing device cryptography 
process section 302 of the recording and reproducing 5 
device 300. Step S72 is similar to step S52 described 
in "(7) Process for Downloading from Recording and Re- 
producing Device to Recording Device"; at this step, the 
control section 306 of the recording and reproducing de- 
vice cryptography process section 302, which has re- 10 
ceived the header, causes the encryption/decryption 
section 308 of the recording and reproducing device 
cryptography process section 302 to calculate the integ- 
rity check value A. The integrity check value A is calcu- 
lated in accordance with an IC V calculation method sim- is 
ilar to that described in Fig. 7, using as a key the integ- 
rity-check- value- A-generating key Kicva stored in the 
internal memory 307 of the recording and reproducing 
device cryptography process section 302 and using the 
content ID and the usage policy as a message : as 20 
shown in the previously described Fig. 23. 
[0405] As previously described, the check value A, IC- 
Va is used to verify that the content ID and the usage 
policy have not been tampered. If the integrity check val- 
ue A calculated in accordance with the ICV calculation 25 
method described in Fig. 7, using as a key the tntegrity- 
check-value-A-generating key Kicva stored in the inter- 
nal memory 307 of the recording and reproducing de- 
vice cryptography process section 302 and using the 
content ID and the usage policy as a message, equals 30 
the check value: ICVa stored in the header, it is deter- 
mined that the content ID and usage policy stored in the 
recording device 400 have not been tampered. 
[0406] Then at step S73, the control section 301 of 
the recording and reproducing device 300 takes the 35 
block information table key Kbit and the content key 
Kcon out from the read-out header section and then 
transmits them to the recording device 400 via the re- 
cording device controller 303 of the recording and re- 
producing device 300. On receiving the block informa- *o 
tion table key Kbit and the content key Kcon transmitted 
from the recording and reproducing device 300. the re- 
cording device 400 causes the encryption/decryption 
section 406 of the recording device cryptography proc- 
ess section 401 to decrypt the received data with the -*5 
storage key Kstr unique to the recording device which 
is stored in the internal memory 405 of the recording de- 
vice cryptography process 40 1 and to then reencrypt the 
decrypted data using the session key Kses made shara- 
ble during the mutual authentication. Then, the control so 
section 301 of the recording and reproducing device 300 
reads the block information key Kbit and the content key 
Kcon out from the recording device 400 via the recording 
device controller 303 of the recording and reproducing 
device 300 ; the block information key Kbit and the con- 55 
tent key Kcon being reencrypted with the session key * 
Kses from the recording device 400. 
[0407] Then at step S74, the control section 301 of 
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the recording and reproducing device 300 transmits the 
received block information key Kbit and content key 
Kcon to the recording and reproducing device cryptog- 
raphy process section 302 of the recording and repro- 
ducing device 300, the block information key Kbit and 
content key Kcon being reencrypted with the session 
key Kses. 

[0408] On receiving the block information key Kbit and 
content key Kcon reencrypted with the session key 
Kses, the recording and reproducing device cryptogra- 
phy process section 302 of the recording and reproduc- 
ing device 300 causes the encryption/decryption section 
308 of the recording and reproducing device cryptogra- 
phy process section 302 to decrypt the block information 
key Kbit and content key Kcon encrypted with the ses- 
sion key Kses, using the session key Kses made shara- 
ble during the mutual authentication. The recording and 
reproducing device cryptography process section 302 
then causes the encryption/decryption section 308 to 
decrypt the block information table received at step S71 , 
using the decrypted block information table key Kbit. 
[0409] The recording and reproducing device cryp- 
tography process section 302 of the recording and re- 
producing device 300 substitutes the decrypted block 
information table key Kbit, content key Kcon, and block 
information table BIT with those received at step S71 for 
retention. In addition, the control section 301 of the re- 
cording and reproducing device 300 reads the decrypt- 
ed block information table BIT out from the recording 
and reproducing device cryptography process section 
302 of the recording and reproducing device 300. 
[0410] At step S75 is similar to step S56 described in 
"(7) Process for Downloading from Recording and Re- 
producing Device to Recording Device". The control 
section 306 of the recording and reproducing device 
cryptography process section 302 divides the block in- 
formation table key Kbit, content key Kcon, and block 
information table (BIT) read out from the recording de- 
vice 400, into 8-byte pieces and then exclusive-ORs all 
of them. The control section 306 of the recording and 
reproducing device cryptography process section 302 
then causes the 

encryption/decryption section 308 of the recording and 
reproducing device cryptography process section 302 
to calculate the integrity check value B(ICVb). The in- 
tegrity check value B is generated by using as a key the 
integrity-check-value-B-generating key Kicvb stored in 
the internal memory 307 of the recording and reproduc- 
ing device cryptography process section 302, to encrypt 
the previously calculated exclusive-ORed value based 
on the DES, as shown in the previously described Fig. 
24. Finally, the check value B and the IC Vb in the header 
are compared together, and if they are equal, the proc- 
ess proceeds to step S76. 

[0411] As previously described, the check value B, 
ICVb is used to verify that the block information table 
key Kbit, the content key Kcon, and the block informa- 
tion table have not been tampered. If the integrity check 
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value B generated by using as a key the 
integrity-check-va!ue-B-generating key Kicvb stored in 
the internal memory 307 of the recording and reproduc- 
ing device cryptography process section 302, dividing 
the block information table key Kbit, the content key s 
Kcon, and the block information table (BIT) read from 
the recording device 400 into 8-byte pieces, exclusive- 
Oring these data, and encrypting the exciusive-ORed 
data based on the DES, equals the check value: ICVb 
stored in the header of the data read out from the re- 10 
cording device 400, it is determined that the block infor- 
mation table key Kbit, the content key Kcon, and the 
block information table have not been tampered. 
[0412] At step S76, the control section 306 of the re- 
cording and reproducing device cryptography process is 
section 302 causes the encryption/decryption section 
308 of the recording and reproducing device cryptogra- 
phy process section 302 to calculate the intermediate 
inlegrity check value. The intermediate value is calcu- 
lated in accordance with the ICV calculation method de- 20 
scribed in Fig. 7 or the like, using as a key the total- 
integrity-check-value-generating key Kicvt stored in the 
internal memory 307 of the recording and reproducing 
device cryptography process section 302 and using the 
integrity check values A and B and all the held content 25 
. integrity check values as a message. The initial value 
. may be IV=0 or the total-integrity-check-value-generat- 
ing initial value IVt may be used which is stored in the 
internal memory 307 of the recording and reproducing 
device cryptography process section 302. Additionally, 
the intermediate integrity check value generated is 
stored in the recording and reproducing device cryptog- 
raphy process section 302 of the recording and repro- 
ducing device 300 as required. 

[041 3] Then at step S77, the control section 301 of 
the recording and reproducing device 300 takes the lo- 
calization field out from the usage policy contained in 
the header section of the data read out from the external 
memory 402 of the recording device 400, to determine 
whether the downloaded content can be used only in 
this recording and reproducing device 300 (in this case, 
the localization field is set to 1) or also by other similar 
recording and reproducing devices 300 (in this case, the 
localization field is set to 0). If the result of the determi- 
nation shows that the localization field is set to 1 , that 
is. it is set such that the downloaded content can be used 
only in this recording and reproducing device 300, the 
process proceeds to step S80. If the localization is set 
to 0. that is, it is set such that the content can also be 
used by other similar recording and reproducing device 
300. then the process proceeds to step S78. Step S77 
may be processed by the cryptography process section 
302. 

[041 4] At step S78, the total integrity check value ICVt 
is calculated in the same manner as step S58 described 
in "(7) Process for Downloading from Recording and Re- 
producing Device to Recording Device". That is, the 
control section 306 of the recording and reproducing de- 



vice cryptography process section 302 causes the en- 
cryption/decryption section 308 of the recording and re- 
producing device cryptography process section 302 to 
calculate the total integrity check value ICVt. The total 
integrity check value ICVt is generated by using as a 
key a system signature key Ksys stored in the internal 
memory 307 of the recording and reproducing device 
cryptography process section 302, to encrypt the inter- 
mediate integrity check value based on the DES, as 
shown in the previously described Fig. 25. 
[0415] The, the process proceeds to step S79 to com- 
pare the total integrity check value ICVt generated at 
step S78 with the ICVt in the header stored at step S71 . 
If the values are equal, the process proceeds to step 
S82. 

[0416] As previously described, the total integrity 
check value ICVt is used to verify that the integrity check 
values ICVa and ICVb and all the content block integrity 
check values have not been tampered. Thus, if the total 
integrity check value generated by means of the above 
described process equals the integrity check value: ICVt 
stored in the header, it is determined that the integrity 
check values ICVa and ICVb and all the content block 
integrity check values have not been tampered in the 
data stored in the recording device 400. 
[0417] If the result of the determination at step S77 
shows that the localization field is set such that the 
downloaded content can be used only in this recording 
and reproducing device 300, that is, it is set to 1 , the 
process proceeds to step S80. 

[0418] At step S80, the control section 306 of the re- 
cording and reproducing device cryptography process 
section 302 causes the encryption/decryption section 
308 of the recording and reproducing device cryptogra- 
phy process section 302 to calculate the integrity check 
value ICVdev unique to the recording and reproducing 
device. The integrity check value ICVdev unique to the 
recording and reproducing device is generated, as 
. shown in the previously described Fig. 25, by using as 
a key a recording and reproducing device signature key 
Kdev unique to the recording and reproducing device 
stored in the internal memory 307 of the recording and 
reproducing device cryptography process section 302, 
to encrypt the intermediate integrity check value based 
on the DES, the intermediate integrity check value being 
held at step S58. At step S81 , the check value ICVdev 
unique to the recording and reproducing device calcu- 
lated at step S80 is compared with the ICVdev stored at 
step S71 , and if they are equal . the process proceeds 
to step S82. 

[0419] Thus, data signed with the same system sig- 
nature key Ksys are successfully checked by a system 
(recording and reproducing device) having the same 
system signature key, that is, such data have the same 
total integrity check value ICVt so as to be sharabie. If, 
however, data are signed with the recording and repro- 
ducing device signature key Kdev, since this signature 
key is unique to the recording and reproducing device, 
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the data signed with the recording and reproducing de- 
vice signature key Kdev, that is, the data stored in a re- 
cording device after the signing cannot be reproduced 
if an attempt is made to reproduce them after this re- 
cording device has been inserted in another recording 
and reproducing device; that is, an error occurs due to 
a mismatch in the integrity check value ICVdev unique 
to the recording and reproducing device. Accordingly, 
the setting of the localization field enables contents to 
be arbitrarily set so as to be shared throughout the entire 
system or used only by particular recording and repro- 
ducing devices. 

[0420] At step S82, the control section 301 of the re- 
cording and reproducing device 300 takes content block 
information out from the block information table (BIT) 
read out at step S74 and checks whether any content 
block is to be encrypted. If any content block is to be 
encrypted, the control section 301 reads this content 
block out from the external memory 402 of the recording 
device 400 via the recording device controller 303 of the 
recording and reproducing device 300 and then trans- 
mits the content block to the recording and reproducing 
device cryptography process section 302 of the record- 
ing and reproducing device 300. On receiving the con- 
tent block, the control section 306 of the recording and 
reproducing device cryptography process section 302 
causes the encryption/decryption section 308 of the re- 
cording and reproducing device cryptography process 
section 302 to decrypt the content, while causing the en- 
cryption/decryption section 308 to calculate the content 
integrity check value at step S83 if the content block is 
to be verified. 

[0421] Step S83 is similar to step S58 described in " 
(7) Process for Downloading from Recording and Re- 
producing Device to Recording Device". The control 
section 301 of the recording and reproducing device 300 
takes content block information out from the block infor- 
mation table (BIT) and determines from the stored con- 
tent integrity check value whether any content block is 
to be verified. If any content block is to be verified, the 
control section 301 receives this content block from the 
external memory 402 of the recording device 400 and 
transmits it to the recording and reproducing device 
cryptography process section 302 of the recording and 
reproducing device 300. On receiving the content block, 
the control section 306 of the recording and reproducing 
device cryptography process section 302 causes the 
encryption/decryption section 308 of the recording and 
reproducing device cryptography process section 302 
to calculate the content intermediate value. 
[0422] The content intermediate value is generated 
by using the content key Kcon decrypted at step S74 to 
decrypt the input content block in the DES CBC mode, 
separating the resulting data into 8-byte pieces, and ex- 
clusive-ORing all these pieces. 

[0423] Then, the control section 306 of the recording 
and reproducing device cryptography process section 
302 causes the encryption/decryption section 308 of the 



recording and reproducing device cryptography process 
section 302 to calculate the content integrity check val- 
ue. The content integrity check value is generated by 
using as a key the content-integrity-check-value-gener- 
5 ating key Kicvc stored in the internal memory 307 of the 
recording and reproducing device cryptography process 
section 302, to encrypt the content intermediate value 
based on the DES. Then, the control section 306 of the 
recording and reproducing device cryptography process 
10 section 302 compares this content integrity check value 
with the ICV in the content block received from the con- 
trol section 301 of the recording and reproducing device 
300 at step S71, and passes the result to the control 
section 301 of the recording and reproducing device 
15 300. On receiving the result and if the verification has 
been successful, the control section 301 of the recording 
and reproducing device 300 takes out the next content 
block to be verified and causes the recording and repro- 
ducing device cryptography process section 302 of the 
recording and reproducing device 300 to verify this con- 
tent block. Similar verification processes are repeated 
until all the content blocks are verified. The initial value 
may be IV=0 or the content-integrity-check-value-gen- 
erating initial value IVc may be used which is stored in 
the internal memory 307 of the recording and reproduc- 
ing device cryptography process section 302. Addition- 
ally, all the checked content integrity check values are 
held in the recording and reproducing device cryptogra- 
phy process section 302 of the recording and reproduc- 
ing device 300. Furthermore, the recording and repro- 
ducing device cryptography process section 302 of the 
recording and reproducing device 300 monitors the or- 
der in which the content blocks are verified to consider 
the authentication to have failed if the order is incorrect 
or if it is caused to verify the same content block twice 
or more. 

[0424] The control section 301 of the recording and 
reproducing device 300 receives the result of the com- 
parison of the content integrity check value (if no content 
block is to be verified, all the results of comparisons will 
be successful), and if the verification has been success- 
ful, it takes the decrypted content from the recording and 
reproducing device cryptography process section 302 
of the recording and reproducing device 300. It then 
takes out next content block to be verified and causes 
the recording and reproducing device cryptography 
process section 302 of the recording and reproducing 
device 300 to decrypt this content block. Similar verifi- 
cation processes are repeated until all the content 
blocks are decrypted. 

[0425] At step S83, if the recording and reproducing 
device cryptography process section 302 of the record- 
ing and reproducing device 300 determines after the 
verification process that the content integrity check val- 
ues are not equal, it considers the verification to have 
failed and avoids decrypting the remaining contents. In 
addition, the recording and reproducing device cryptog- 
raphy process section 302 of the recording and repro- 
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ducing device 300 monitors the order in which the con- 
tent blocks are decrypted to consider the decryption to 
have failed if the order is incorrect or if it is caused to 
decrypt the same content block twice or more. 
[0426] If the verification of the integrity check value A 
has failed at step S72, if the verification of the integrity 
check value B has failed at step S75, if the verification 
of the total integrity check value ICVt has failed at step 
S79, if the verification of the integrity check value 
ICVdev unique to the recording and reproducing device 
has failed at step S81 , or if the verification of the content 
block content integrity check value has failed at step 
S81 , then the process proceeds to step SB4 to provide 
a predetermined error display. 

[0427] As described above, not only important data or 
content can be encrypted, concealed, or checked for 
tamper when ihe content is downloaded or used, but 
even if data on a recording medium are simply copied 
to another recording medium, the content can be pre- 
vented from being correctly decrypted because the 
block information table key Kbit for decrypting the block 
information table BIT and the content key Kcon for de- 
crypting the content are stored with the storage key Kstr 
unique to the recording medium. More specifically, for 
example, at step S74 in Fig. 28, the another recording 

. device cannot decrypt the data correctly because each 
recording device decrypts data encrypted with a differ- 

. ent storage key Kstr. 

(9) Key Exchanging Process after Mutual Authentication 

[0428] The data processing apparatus according to 
the present invention is partly characterized in that the 
recording device 400 can be used only after the above 
described mutual authentication process between the 
recording and reproducing device 300 and the recording 
device 400 and in that the use form of the recording de- 
vice is limited. 

[0429] For example, to prevent a user from generating 
a recording device such as a memory card in which a 
content is stored by means of illegal copying or the like 
and setting this recording device in a recording and re- 
producing device for use, the mutual authentication 
process is executed between the recording and repro- 
ducing device 300 and the recording device 400 and 
(encrypted) contents can be transferred between the re- 
cording and reproducing device 300 and the recording 
device 400 only if they have been mutually authenticat- 
ed. 

[0430] To achieve the above restrictive process, ac- 
cording to the present data processing apparatus, all the 
processes in the cryptography process section 401 of 
the recording device 400 are executed based on preset 
command strings. That is, the recording device has such 
a command process configuration that it sequentially 
obtains commands from a register based on command 
numbers: Fig. 29 is a view useful in explaining the com- 
mand process configuration of the recording device. 



[0431] As shown in Fig. 29, between the recording 
and reproducing device 300 having he recording and re- 
producing device cryptography process section 302 and 
the recording device 400 having the recording device 

5 cryptography process section 401 , command numbers 
(No.) are output from the recording device controller303 
to the communication section (including a reception reg- 
ister) 404 of the recording device 400 under the control 
of the control section 301 of the recording and reproduc- 

10 ing device 300. 

[0432] The recording device 400 has a command 
number managing section 2201 (2901?) in the control 
section 403 in the cryptography process section 401 . 
The command number managing section 2901 holds a 

15 command register 2902 to store command strings cor- 
responding to command numbers output from the re- 
cording and reproducing device 300. In the command 
strings, command numbers 0 to y are sequentially as- 
sociated with execution commands, as shown in the 

20 right of Fig. 29. The command number managing sec- 
tion 2901 monitors command numbers output from the 
recording and reproducing device 300 to take corre- 
sponding commands out from a command register 2902 
for execution. 

25 [0433] In command sequences stored in the com- 
mand register 2902, a command string for an authenti- 
cation process sequence is associated with the leading 
command numbers 0 to k, as shown in the right of Fig. 
29. Furthermore, command numbers p to s following the 

30 command string for the authentication process se- 
quence are associated with a decryption, key exchange, 
and encryption process command sequence 1 , and the 
following command numbers u to y are associated with 
a decryption, key exchange, and encryption process 

35 command sequence 2. 

[0434] As previously described for the authentication 
process flow in Fig. 20, when the recording device 400 
is installed in the recording and reproducing device 300, 
the control section 301 of the recording and reproducing 

40 device 300 transmits an initialization command to the 
recording device 400 via the recording device controller 
303. On receiving the command, the recording device 
400 causes the control section 403 of the recording de- 
vice cryptography process section 401 to receive the 

45 command via the communication section 404 and clear 
an authentication flag 2903. That is, unauthenticated 
state is set. Alternatively, in such a case that power is 
supplied from the recording and reproducing device 300 
to the recording device 400, the unauthenticated state 

50 (?) may be set on power-on. 

[0435] Then, the control section 301 of the recording 
and reproducing device 300 transmits an initialization 
command to the recording and reproducing device cryp- 
tography process section 302. At this point, italsotrans- 

55 mits a recording device insertion port number. When the 
recording device insertion port number is transmitted, 
even if a plurality of recording devices 400 are connect- 
ed to the recording and reproducing device 300, the re- 
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cording and reproducing device 300 can simultaneously 
execute authentication with these recording devices 
400 and transmit and receive data thereto and there- 
from. 

[0436] On receiving the initialization command, the 
recording and reproducing device cryptography process 
section 302 of the recording and reproducing device 300 
causes the control section thereof to clear the authenti- 
cation flag 2904 corresponding to the recording device 
insertion port number. That is, the unauthenticated state 
is set. 

[0437] Once this initialization process has been com- 
pleted, the control section 301 of the recording and re- 
producing device 300 sequentially outputs command 
numbers via the recording device controller 303 in an 
ascending order starting with the command number 0. 
The command number managing section 2901 of the 
recording device 400 monitors the command numbers 
input from the recording and reproducing device 300 to 
ascertain that they are sequentially input starting with 
the command number 0, and obtains the corresponding 
commands from the command register 2902 to execute 
various processes such as the authentication process. 
If the input command numbers are not in a specified or- 
der, an error occurs and a command number accept- 
ance value is reset to an initial state, that is, an execut- 
able command number is reset at 0. 
[0438] In the command sequences stored in the com- 
mand register 2902 as shown in Fig. 29, the command 
numbers are imparted so as to carry out the authentica- 
tion process first, and following this process sequence, 
decryption the key exchange, and encryption process 
sequence is stored. 

[0439] A specific example of the decryption the key 
exchange, and the encryption process sequence will be 
explained with reference to Figs. 30 and 31 . 
[0440] Fig. 30 shows part of the process executed in 
downloading a content from the recording and reproduc- 
ing device 300 to the recording device 400 as previously 
described in Fig. 22. Specifically, this process is execut- 
ed between steps 59 and 60 in Fig. 22. 
[0441] In Fig. 30, at step S3001 , the recording device 
receives data (ex. the block information table Kbit and 
the content key Kcon) encrypted with the session key 
Kses. from the recording and reproducing device. 
Thereafter, the command strings p to s shown in the 
above described Fig. 29 are started. The command 
strings p to s are started after the authentication process 
commands 0 to k have been completed to cause au- 
thentication flags 2903 and 2904 shown in Fig. 29 to be 
set to indicate the completion. This is ensured by the 
command number managing section 2901 by accepting 
the command numbers only in the ascending order 
starting with 0. 

[0442] At step S3002, the recording device stores in 
the register the data (ex. the block information table Kbit 
and the content key Kcon) received from the recording 
and reproducing device and encrypted with the session 



key Kses. 

[0443] At step S3003, a process is executed which 
takes the data (ex. the block information table Kbit and 
the content key Kcon) encrypted with the session key 
5 Kses, out from the register and decrypts them with the 
session key Kses. 

[0444] At step S3004, a process is executed which 
encrypts the data (ex. the block information table Kbit 
and the content key Kcon) decrypted with the session 

10 key Kses, using the storage key Kstr. 

[0445] The above process steps 3002 to 3004 corre- 
spond to processes included in the command numbers 
p to s in the command register previously described in 
Fig. 29. These processes are sequentially executed by 

15 the recording device cryptography process section 401 
in accordance with the command numbers p to s re- 
ceived by the command number managing section 2901 
of the recording device 400 from the recording and re- 
producing device 300. 

20 [0446] At the next step S3005, the data (ex. the block 
information table Kbit and the content key Kcon) en- 
crypted with the storage key Kstr are stored in the ex- 
ternal memory of the recording device. At this step, the 
recording and reproducing device 300 may read the da- 

25 ta encrypted with the storage key Kstr, out from the re- 
cording device cryptography process section 401 and 
then store them in the external memory 402 of the re- 
cording device 400. 

[0447] The above described steps S3002 to S3004 

30 constitute an uninterruptible continuously-executed ex- 
ecution sequence; even if, for example, the recording 
and reproducing device 300 issues a data read com- 
mand at the end of the decryption process at step 
S3003, since this read command differs from the com- 

35 rnand numbers p to s set in the command register 2902 
in the ascending order, the command number managing 
section 2901 does not accept execution of the read. Ac- 
cordingly, the decrypted data resulting from the key ex- 
change in the recording device 400 cannot be read out 

40 by an external device, for example, the recording and 
reproducing device 300, thereby preventing key data or 
contents from being illegally read out. 
[0448] Fig. 31 shows part of the content reproducing 
process previously described in Fig. 28 in which a con- 

4 5 tent is read out from the recording device 400 and re- 
produced by the recording and reproducing device 300. 
Specifically, this process is executed at step S73 in Fig. 
28. 

[0449] In Fig. 31 : at step S3101, the data (ex. the 
50 block information table Kbit and the content key Kcon) 
encrypted with the storage key Kstr are read out from 
the external memory 402 of the recording device 400. 
[0450] At step S31 02, the data (ex. the block informa- 
tion table Kbit and the content key Kcon) read out from 
55 the memory of the recording device and encrypted with 
the storage key Kstr are stored'in the register. At this 
step, the recording and reproducing device 300 may 
read the data encrypted with the storage key Kstr, out 
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from the external memory 402 of the recording device 
400 and then store them in the register of the recording 
device 400. 

[0451 ] At step S31 03, the data (ex. the block informa- 
tion table Kbit and the content key Kcon) encrypted with 
the storage key Kstr are taken out from the register and 
decrypted with the storage key Kstr. 
[0452] At step S31 04, the data (ex. the block informa- 
tion table Kbit and the content key Kcon) decrypted with 
the storage key Kstr are encrypted with the session key 
Kses. 

[0453] The above process steps 31 02 to 31 04 corre- 
spond to processes included in the command numbers 
u to y in the command register previously described in 
Fig. 29. These processes are sequentially executed by 
the recording device cryptography process section 406 
in accordance with the command numbers u to y re- 
ceived by the command number managing section 290 1 
of the recording device from the recording and repro- 
ducing device 300. 

[0454] At the next step S31 05, the data (ex. the block 
information table Kbit and the content key Kcon) en- 
crypted with the session key Kses are transmitted from 
the recording device to the recording and reproducing 
device. 

[0455] The above described steps S3102 to S3104 
constitute an uninterruptible continuously-executed ex- 
ecution sequence; even if, for example, the recording 
and reproducing device 300 issues a data read com- 
mand at the end of the decryption process at step 
S3103, since this read command differs from the com- 
mand numbers u to y set in the command register 2902 
in the ascending order, the command number managing 
section 2901 does not accept execution of the read. Ac- 
cordingly, the decrypted data resulting from the key ex- 
change in the recording device 400 cannot be read out 
by an external device, for example, the recording and 
reproducing device 300, thereby preventing key data or 
contents from being illegally read out. 
[0456] For the process shown in Figs. 30 and 31 , the 
example is shown where the block information table key 
Kbit and the content key Kcon are decrypted and en- 
crypted by means of key exchange, butthese command 
sequences stored in the command register 2902 shown 
in Fig. 29 may include decryption and encryption proc- 
esses involving key exchanges forthe content itself. The 
object to be decrypted or encrypted by means of key 
exchanges is not limited to the above described exam- 
ple. 

[0457] The key exchange process afterthe mutual au- 
thentication in the present data processing apparatus 
has been described. Thus, the key exchange process 
in the present data processing apparatus can be carried 
out only after the authentication process between the 
recording and reproducing device and the recording de- 
vice has been completed. Further, decrypted data can 
be prevented from being externally accessed during the 
key exchange process, thereby ensuring the improved 



security of contents and key data. 

(10) Plural Content Data Formats and Download and 
Reproduction Processes Corresponding to Each 
5 Format 

[0458] In the above described embodiment, for exam- 
ple, the data format forthe medium 500 or communica- 
tion means 600 shown in Fig. 3 is of the type shown in 

10 Fig. 4. The data format for the medium 500 or the com- 
munication means 600 is not limited to the one shown 
in Fig. 4 but preferably depends on the content, that is, 
whether the content is music, image data, a program 
such as a game, or the like. A plurality of data formats 

15 as well as processes for downloading and reproducing 
data from and to the recording device 400 will be ex- 
plained. 

[0459] Figs. 32 to 35 show four different data formats. 
A data format used on the medium 500 or the commu- 
te nication means 600 shown in Fig. 3 is shown in the left 
of each figure, while a data format used in storing data 
in the external memory 402 of the recording device 400 
is shown in the right of each figure. An outline of the data 
formats shown in Figs. 32 to 35 will first be provided, 

25 and the contents of each data in each format and differ- 
ences among data in each format will be explained. 
[0460] Fig. 32 shows a format type 0, which is of the 
same type as that shown as an example in the above 
description. The format type 0 is characterized in that 

30 the entire data are divided into N data blocks each hav- 
ing an arbitrary size, that is, blocks 1 to N, each of which 
is arbitrarily encrypted so that data can be configured 
by mixing together encrypted blocks and non-encrypted 
blocks, that is, plain text blocks. The blocks are encrypt- 

35 ed with the content key Kcon, which is encrypted with 
the distribution key Kdis on the medium or with the stor- 
age key Kstr stored in the internal memory of the record- 
ing device when it is stored in the recording device. The 
block information key Kbit is also encrypted with the dis- 

40 tribution key Kdis on the medium or with the storage key 
Kstr stored in the internal memory of the recording de- 
vice when it is stored in the recording device. These key 
exchanges are carried out in accordance with the proc- 
ess described in "(9) Key Exchange Process after Mu- 

45 tual Authentication". 

[0461] Fig. 33 shows a format type 1 , in which the en- 
tire data are divided into N data blocks, that is, blocks 1 
to N, as in the format type 0 but which differs from the 
format type 0 in that the N blocks are all of the same 

50 size. The aspect of the process for encrypting blocks 
with the content key Kcon is similar to that in the format 
type 0. Additionally, as in the above described format 
type 0, the content key Kcon and the block information 
table key Kbit are encrypted with the distribution key 

55 Kdis on the medium or with the storage key Kstr stored 
in the internal memory of the recording device when it 
is stored in the recording device. Unlike the format type 
0, the format type 1 has a fixed block configuration to 
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simplify configuration data such as data length for each 
block, thereby enabling a memory size for block infor- 
mation to be reduced compared to the format type 0. 
[0462] In the example of configuration in Fig. 33, each 
block comprises a set of an encrypted part and a non- 
encrypted (plain text) part. If the length and configura- 
tion of the block are thus regular, each block length or 
configuration need not be checked during the decryption 
process or the like, thereby enabling efficient decryption 
and encryption processes. In the format 1 , the parts con- 
stituting each block, that is, the encrypted part and the 
non-encrypted (plain text) part can each be defined as 
an object to be checked, so that the content integrity 
check value ICVi is defined for a block containing a part 
that must be checked. 

[0463] Fig. 34 shows a format type 2, which is char- 
acterized in that the data are divided into N data blocks 
all having the same size, that is, blocks 1 to N, each of 
which is encrypted with an individual block key Kblc. 
Each block key Kblc is encrypted with the content key 
Kcon, which is encrypted with the distribution key Kdis 
on the medium or with the storage key Kstr stored in the 
internal memory of the recording device when it is stored 
in the recording device. The block information table key 
Kbit is also encrypted with the distribution key Kdis on 
the medium or with the storage key Kstr stored in the 
internal memory of the recording device when it is stored 
in the recording device. 

[0464] Fig. 35 shows a format type 3, which is char- 
acterized in that the data are divided into N data blocks 
all having the same size, that is, blocks 1 to N, each of 
which is encrypted with an individual block key Kblc, as 
in the format type 2, and in that each block key Kblc is 
encrypted with the distribution key Kdis on the medium 
or with the storage key Kstr on the recording device, 
without the use of the content key. No content key Kcon 
is present on the medium or on the device. The block 
information table key Kbit is encrypted with the distribu- 
tion key Kdis on the medium or with the storage key Kstr 
stored in the internal memory of the recording device 
when it is stored in the recording device. 
[0465] Next, the contents of the data in the above for- 
mat types 0 to 3 will be described. As previously de- 
scribed, the data are roughly divided into two, that is, 
the header section and the content section. The header 
section contains the content ID, the usage policy, the 
integrity check values A and B, the total integrity check 
value, the block information table key, the content key, 
and the block information table. 

[0466] The usage policy stores the data length of a 
content, its header length, its format type (formats 0 to 
3 described below), a content type indicating whether 
the content is a program or data, a localization flag that 
determines whether the content can be used only by a 
particular recording and reproducing device as de- 
scribed in the section relating to the processes for down- 
loading and reproducing a content to and from the re- 
cording device, a permission flag for a content copying 



or moving process, and various localization and process 
information for the content such as a content encryption 
algorithm and a mode. 

[0467] The integrity check value A: ICVa is used to 
5 check the content ID and the usage policy and generat- 
ed using, for example, the method described in the 
above described Fig. 23. 

[0468] The block information table key Kbit is used to 
encrypt block information table and is encrypted with the 
10 distribution key Kdis on the medium or with the storage 
key Kstr stored in the internal memory of the recording 
device when it is stored in the recording device, as pre- 
viously described. 

[0469] The content key Kcon is used to encrypt a con- 
15 tent. For the format types 0 and 1 , it is encrypted with 
the distribution key Kdis on the medium or with the stor- 
age key Kstr stored in the internal memory of the record- 
ing device when rt is stored in the recording device, sim- 
ilarly to the block information table key Kbit. For the for- 
mat type 2, the content key Kcon is also used to encrypt 
the block key Kblc configured for each content block. 
Additionally, for the format type 3, no content key Kcon 
is present. 

[0470] The block information table describes informa- 
tion on the individual blocks and stores the size of each 
block and a flag indicating whether the block has been 
encrypted, that is, information indicating whether or not 
the block is to be checked (ICV). If the block is to be 
checked, the block integrity check value ICVi (the integ- 
rity check value for the block i) is defined and stored in 
the table. This block information table is encrypted with 
the block information table key Kbit. 
[0471] If the block has been encrypted, the block in- 
tegrity check value, that is, the content integrity check 
value ICVi is generated by exclusive-ORing the entire 
plain text (decrypted text) every 8 bytes and then en- 
crypting the obtained value with the content-integrity- 
check-value-generating key Kicvc stored in the internal 
memory 307 of the recording and reproducing device 
300. Additionally, if the block has not been encrypted, 
the block integrity check value is generated by sequen- 
tially inputting the entire block data (plain text) to a 
tamper-check-value-generating function shown in Fig. 
36 (DES-CBC-MAC using the content-integrity-check- 
value-generating key Kicvc) in such a manner that 8 
bytes are input each time. Fig. 36 shows an example of 
a configuration for generating the content block integrity 
check value ICVi. Each message M constitutes each set 
of 8 bytes of decrypted text data or plain text data. 
[0472] For the format type 1 , if at least one of the parts 
in the block is data to be processed with the integrity 
check val ue ICVi, that is, a part to be checked, the con- 
tent integrity check value ICVi is defined for that block. 
An integrity check value P-ICVij for a part j of a block i 
is generated by exclusive ORingthe entire plain text (de- 
crypted text) every 8 bytes and then encrypting the ob- 
tained data with the content-integrity-check-value-gen- 
erating value Kicvc. In addition, if a part j has not bee 
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encrypted, the integrity check value P-ICVij is generated 
by sequentially inputting the entire block data (plain text) 
to the tamper-check-value-generating function shown in 
Fig. 36 (DES-CBC-MAC using the content-integrity- 
check-value-generating key Kicvc) in such a manner 
that 8 bytes are input each time. 
[0473] Further, if the block i contains one part having 
[ICV flag = subject of ICV] indicating that it is to be 
checked, the integrity check value P-ICVij generated us- 
ing the above method is directly used as the block in- 
tegrity check value ICVi. If the block i contains a plurality 
of parts having [ICV flag = subject of ICV] indicating that 
they are to be checked, the integrity check value P-ICVij 
is generated by connecting a plurality of parts integrity 
check values P-ICVij together in accordance with part 
numbers to obtain data and sequentially inputting the 
entire daia (piain data) to the iemper-check-value-gen- 
erating function shown in Fig. 37 (DES-CBC-MAC using 
the content-integrity-check-value-generating key Kicvc) 
in such a manner that 8 bytes are input each time. Fig. 
37 shows an example of configuration for generating the 
content block content integrity check value ICVi. 
[0474] The block integrity check value ICVi is not de- 
fined for the format types 2 or 3. 

[0475] The integrity check value B:ICVb is used to 
check the block information table key, the content key, 
and the entire block information table and generated us- 
ing, for example, the method described in the previously 
described Fig. 24. 

[0476] The total integrity check value ICVt is used to 
check the entirety of the previously described integrity 
check values A: 

iCVa and B: ICVb and the integrity check value ICVi con- 
tained in each block of the content to be checked and is 
generated by applying the system signature key Ksys 
..to the intermediate integrity check value generated from 
each integrity check value such as the integrity check 
value A: ICVa to execute the encryption process as de- 
scribed in the previously described Fig. 25. 
[0477] For the format types 2 and 3, the total integrity 
check value ICVt is generated by applying the system 
signature key Ksys to the intermediate integrity check 
value generated by connecting the previously described 
integrity check values A: ICVa and B: ICVb to the content 
data, that is, the entire content data between the block 
key in block 1 and the final block, to execute the encryp- 
tion process. Fig. 38 shows an example of configuration 
for generating the total integrity check value ICVt for the 
format types 2 and 3. 

[0478] The unique integrity check value ICVdev is 
substituted with the total integrity check value ICVt if the 
previously described localization flag is set to 1 , that is, 
indicates that the content can be used only by a partic- 
ular recording and reproducing device. For the format 
types 0 and 1 , the unique integrity check value ICVdev 
is generated to check the previously described integrity 
check values A: ICVa and B: ICVb and the integrity 
check value ICVi contained in each block of the content 



to be checked. Specifically, the unique integrity check 
value ICVdev is generated by applying the recording 
and reproducing device signature key Kdevto the inter- 
mediate integrity check value generated from the integ- 
5 rity check values such as the integrity check value A: 
ICVa, as explained in the previously described Fig. 25 
or 38. 

[0479] Next, processes for downloading a content of 
each of the format types 0 to 3 from the recording and 

10 reproducing device 300 to the recording device 400 and 
processes executed by the recording and reproducing 
device 300 to reproduce a content of each of the format 
types 0 to 3 from the recording device 400 will be de- 
scribed with reference to the flow charts in Figs. 39 to 44. 

15 [0480] First, the process for downloading a content of 
the format type 0 or 1 will be explained with reference 
to Fig. 39. 

[0481] The process shown in Fig. 39 is started, for ex- 
ample, by installing the recording device 400 into the 

20 recording and reproducing device 300 shown in Fig. 3. 
At step S101, authentication is executed between the 
recording and reproducing device and the recording de- 
vice, and this step is carried out in accordance with the 
authentication process flow previously described in Fig. 

25 20. 

[0482] If the authentication process at step S1 01 has 
been completed to. set the authentication flag, then at 
step S 1 02, the recording and reproducing device 300 
reads data of a predetermined format from the medium 

30 500 via the read section 304, the medium 500 storing 
content data, or uses the communication section 305 to 
receive data from the communication means 600 in ac- 
cordance with a predetermined format. Then, the control 
section 301 of the recording and reproducing device 300 

35 transmits the header section of the data to the recording 
and reproducing device cryptography process section 
302 of the recording and reproducing device 300. 
[0483] Next, at step S1 03, the control section 306 of 
the recording and reproducing device cryptography 

40 process section 302 causes the encryption/decryption 
section 308 of the recording and reproducing device 
cryptography process section 302 to calculate the integ- 
rity check value A. The integrity check value A is calcu- 
lated in accordance with the ICV calculation method de- 

45 scribed in Fig. 7, using as a key the integrity-check-val- 
ue-A-generating key Kicva stored in the internal mem- 
ory 307 of the recording and reproducing device cryp- 
tography process section 302 and using the content ID 
and the usage policy as a message, as shown in Fig. 

50 23. Then at step S1 04, the integrity check value A and 
the check value: ICVa stored in the header are com- 
pared together, and if they are equal, the process pro- 
ceeds to step S1 05. 

[0484] As previously described, the check value A, IC- 
55 Va is used to verify that the content ID and the usage 
policy have not been tampered. If the integrity check val- 
ue A calculated, for example, in accordance with the ICV 
calculation, using as a key the integrity-check-value-A- 
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generating key Kicva stored in the internal memory 307 
of the recording and reproducing device cryptography 
process section 302 and using the content ID and the 
usage policy as a message, equals the check value: IC- 
Va stored in the header, it is determined that the content 5 
ID and the usage policy have not been tampered. 
[0485] Next, at step S1 05, the control section 306 of 
the recording and reproducing device cryptography 
process section 302 causes the encryption/decryption 
section 308 of the recording and reproducing device 
cryptography process section 302 to obtain or generate 
the distribution key Kdis. The distribution key Kdis is 
generated using, for example, the master key MKdis for 
the distribution key, as in step S53 in the previously de- 
scribed Fig. 22. 

[0486] Then at step S106, the control section 306 of 
the recording and reproducing device cryptography 
process section 302 uses the encryption/decryption 
section 308 of the recording and reproducing device 
cryptography process section 302 as well as the gener- 
ated distribution key Kdis, to decrypt the block informa- 
tion table key Kbit and content key Knon stored in the 
header section of the data obtained from the medium 
500 via the read section 304 or received from the com- 
munication means 600 via the communication section 
305. 

[0487] Further, at step S107, the control section 306 
of the recording and reproducing device cryptography 
process section 302 uses the encryption/decryption 
section 308 of the recording and reproducing device 
cryptography process section 302 to decrypt the block 
information table with the decrypted block information 
table key Kbit. 

[0488] Further, at step S108, the control section 306 
of the recording and reproducing device cryptography 
process section 302 calculates the integrity check value 
B (ICVb') from the block information table key Kbit, the 
content key Kcon, and the block information table (BIT). 
The integrity check value B is generated, as shown in 
Fig. 24, by using as a key the integrity-check-value-B- 
generating key Kicvb stored in the internal memory 307 
of the recording and reproducing device cryptography 
process section 302, to decrypt an exclusive-ORed val- 
ue based on the DES, the exclusive-ORed value com- 
prising the block information table key Kbit, the content 
key Kcon, and the block information table (BIT). Then 
at step S1 09, the integrity check value B and the ICVb 
in the header are compared together, and if they are 
equal, the process proceeds to step S110. 
[0489] As previously described, the check value B, 
ICVb is used to verify that the block information table 
key Kbit, the content key Kcon, and the block informa- 
tion table have not been tampered. If the integrity check 
value B generated by using as a key the integrity-check- 
value-B-generating key Kicvb stored in the internal 
memory 307 of the recording and reproducing device 
cryptography process section 302, dividing the block in- 
formation table key Kbit, the content key Kcon, and the 
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block information table (BIT) into 8-byte pieces, exclu- 
sive-Oring these data, and encrypting the exclu- 
sive-ORed data based on the DES, equals the check 
value: ICVb stored in the header, it is determined that 
the block information table key Kbit, the content key 
Kcon, and the block information table have not been 
tampered. 

[0490] At step S1 1 0, the control section 306 of the re- 
cording and reproducing device cryptography process 
section 302 causes the encryption/decryption section 
308 of the recording and reproducing device cryptogra- 
phy process section 302 to calculate the intermediate 
integrity check value. The intermediate value is calcu- 
lated in accordance with the ICV calculation method de- 
scribed in Fig. 7 or the like, using as a key the total- 
integrity-check-value-generating key Kicvt stored in the 
internal memory 307 of the recording and reproducing 
device cryptography process section 302 and using the 
integrity check values A and B and all the held content 
integrity check values as a message. The intermediate 
integrity check value generated is stored in the record- 
ing and reproducing device cryptography process sec- 
tion 302 of the recording and reproducing device 300 as 
required. 

[0491] Next, at step S111 , the control section 306 of 
the recording and reproducing device cryptography 
process section 302 causes the encryption/decryption 
section 308 of the recording and reproducing device 
cryptography process section 302 to calculate the total 
integrity check value ICVt*. As shown in Fig. 25, the total 
integrity check value ICVt is generated by using as a 
key a system signature key Ksys stored in the internal 
memory 307 of the recording and reproducing device 
cryptography process section 302, to encrypt the inter- 
mediate integrity check value based on the DES. Then 
at step S112, the total integrity check value ICVt gener- 
ated and the ICVf in the header stored at step S112 are 
compared together, and if they are equal, the process 
proceeds to step S113. 

[0492] As previously described in Fig. 4, the total in- 
tegrity check value ICVt is used to verify that all of the 
integrity check values ICVa and ICVb and the integrity 
check value for each content block have not been tam- 
pered. Thus, if the total integrity check value generated 
by means of the above described process equals the 
integrity check value: ICVt stored in the Header, it is de- 
termined that all of the integrity check values ICVa and 
ICVb and the integrity check value for each content 
block have not been tampered. 

[0493] Then at step S113, the control section 301 of 
the recording and reproducing device 300 takes content 
block information out from the block information table 
(BIT) and checks whether any content block is to be ver- 
ified. If any content block is to be verified, the content 
integrity check value has been stored in the block infor- 
mation in the header. 

[0494] If any content block is to be verified, then at 
step S114, the control section 301 reads this content 
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block out from the medium 500 using the read section 
304 of the recording and reproducing device 300 or re- 
ceived from the communicating means 600 by using the 
communication section 305 of the recording and repro- 
ducing device 300, and transmits the content block to 
the recording and reproducing device cryptography 
process section 302 of the recording and reproducing 
device 300. On receiving the content block, the control 
section 306 of the recording and reproducing device 
cryptography process section 302 causes the encryp- 
tion/decryption section 308 of the recording and repro- 
ducing device cryptography process section 302 to cal- 
culate the content integrity check value ICVi'. 
[0495] If the block has been encrypted, the content 
integrity check value ICVi is generated by decrypting the 
input content block in the DES GBC mode using the con- 
tent key Kcon, exciusive-ORing aii of the decrypted text 
every 8 bytes, and then encrypting the generated con- 
tent intermediate value with the content-integrity-check- 
value-generating key Kicvc stored in the internal mem- 
ory 307 of the recording and reproducing device 300. 
Additionally, if the block has not been encrypted, the 
content integrity check value is generated by sequen- 
tially inputting the entire block data (plain text) to the 
tamper-check-value-generating function shown in Fig. 
36 (DES-CBC-MAC using the content-integrity-check- 
value- generating key Kicvc) in such a manner that 8 
bytes are input each time. 

[0496] Then at step S115, the control section 306 of 
the recording and reproducing device cryptography 
process section 302 compares this content integrity 
check value with the ICV in the content block received 
from the control section 301 of the recording and repro- 
ducing device 300 at step S102, and passes the result 
to the control section 301 of the recording and reproduc- 
ing device 300. On receiving the result and if the verifi- 
cation has been successful, the control section 301 of 
the recording and reproducing device 300 takes out the 
next content block to be verified and causes the record- 
ing and reproducing device cryptography process sec- 
tion 302 of the recording and reproducing device 300 to 
verify this content block. Similar verification processes 
are repeated until all the content blocks are verified (step 
S116). 

[0497] In this regard, if the check values are not equal 
at any of steps 104, 109, 112, and 115, an error occurs 
to end the download process. 

[0498] Then at step S117, the recording and repro- 
ducing device cryptography process section 302 of the 
recording and reproducing device 300 causes the en- 
cryption/decryption section 308 of the recording and re- 
producing device cryptography process section 302 to 
encrypt the block information key Kbit and content key 
Kcon decrypted at step S106, using the session key 
Kses made sharable during the mutual authentication. 
The control section 301 of the recording and reproduc- 
ing device 300 reads the block information table key Kbit 
and the content key Kcon out from the recording and 



reproducing device cryptography process section 302 
of the recording and reproducing device 300 and then 
transmits them to the recording device 400 via the re- 
cording device controller 303 of the recording and re- 

5 producing device 300. 

[0499] Then at step S118, on receiving the block in- 
formation table key Kbit and the content key Kcon trans- 
mitted from the recording and reproducing device 300, 
the recording device 400 causes the encryption/decryp- 

10 tion section 406 of the recording device cryptography 
process section 401 to decrypt the received data with 
the session key Kses made sharable during the mutual 
authentication and to then reencrypt the decrypted data 
using the storage key Kstr unique to the recording de- 

15 vice which is stored in the internal memory 405 of the 
recording device cryptography process 401 . Then, the 
control section 301 of the recording and reproducing de- 
vice 300 reads the block information key Kbit and the 
content key Kcon out from the recording device 400 via 

20 the recording device controller 303 of the recording and 
reproducing device 300, the block information key Kbit 
and the content key Kcon being reencrypted with the 
storage key Kstr. That is, the block information table key 
Kbit encrypted with the distribution key Kdis is ex- 

25 changed with the content key Kcon. 

[0500] Then at step S119, the control section 301 of 
the recording and reproducing device 300 takes the lo- 
calization field out from the usage policy in the header 
section of the data, to determine whether the download- 

30 ed content can be used only in this recording and repro- 
ducing device 300. If the localization field is set to 1 , the 
downloaded content can be used only by the recording 
and reproducing device 300, if the localization field is 
set to 0, the downloaded content can also be used by 

35 other similar recording and reproducing devices 300. If 
the result of the determination shows that the localiza- 
tion field is set to 1 , the process proceeds to step S1 20. 
[0501] At step S120, the control section 301 of the re- 
cording and reproducing device 300 causes the record- 

40 ing and reproducing'device cryptography process sec- 
tion 302 of the recording and reproducing device 300 to 
calculate the integrity check value unique to the record- 
ing and reproducing device. The integrity check value 
unique to the recording and reproducing device is gen- 

45 erated by using as a key a recording and reproducing 
device signature key Kdev stored in the internal memory 
307 of the recording and reproducing device cryptogra- 
phy process section 302, to encrypt the intermediate in- 
tegrity check value based on the DES, the intermediate 

50 integrity check value being generated at step S1 1 0. The 
calculated integrity check value ICVdev unique to the 
recording and reproducing device substitutes for the to- 
tal integrity check value ICVt. 

[0502] As previously described, the system signature 
55 key Ksys is used to add a common signature or ICV to 
the distribution system, and the recording and reproduc- 
ing device signature key Kdev varies depending on the 
recording and reproducing device and is used by the re- 
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cording and reproducing device to add a signature or 
ICV. That is, data signed with the system signature key 
Ksys are successfully checked by a system (recording 
and reproducing device) having the same system sig- 
nature key, that is, such data have the same total integ- 
rity check value ICVt so as to be sharable. If, however, 
data are signed with the recording and reproducing de- 
vice signature key Kdev, since this signature key is 
unique to the recording and reproducing device, the da- 
ta signed with the recording and reproducing device sig- 
nature key Kdev, that is, the data stored in a recording 
device after the signing cannot be reproduced if an at- 
tempt is made to reproduce them after this recording de- 
vice has been inserted in another recording and repro- 
ducing device; that is, an error occurs due to the unequal 
integrity check values ICVdev unique to the recording 
and reproducing device. In the data processing appara- 
tus according to the present invention, the setting of the 
localization field enables contents to be arbitrarily set so 
as to be shared throughout the entire system or used 
only by particular recording and reproducing devices. 
[0503] Next, at step S121 , the control section 301 of 
the recording and reproducing device 300 causes the 
recording and reproducing device cryptography process 
section 302 to form a storage data format. As previously 
described, one of the three format types 0 to 3 is set in 
the usage policy (see Fig. 5) in the header so that data 
are formed in accordance with the storage format in the 
right of one of the previously described Figs. 32 to 35 
depending on the set type. The flow shown in Fig. 39 is 
for the format 0 or 1, so that the data are formed into 
one of the formats in Figs. 32 and 33. 
[0504] Once the storage data format has been com- 
pleted at step S121, the control section 301 of the re- 
cording and reproducing device 300 stores the content 
in the external memory 402 of the recording device 400 
at step S122. 

[0505] How the process for downloading content data 
of the format type 0 or 1 is carried out has been de- 
scribed. 

[0506] The process for downloading content data of 
the format type 2 will be explained with reference to Fig. 
40. Differences from the above described process for 
downloading data of the format type 0 or 1 will be fo- 
cused on. 

[0507] Steps S101 to S109 are similar to the above 
described process for downloading data of the format 
type 0 or 1 , so description thereof is omitted. 
[0508] Since the format type 2 has no content integrity 
check value ICVi defined therefor as previously de- 
scribed, the block information table contains no content 
integrity check value ICVi. The intermediate integrity 
check value in the format type 2 is generated by applying 
the system signature key Ksys to the intermediate in- 
tegrity check value generated by connecting the integ- 
rity check values A and B to the entire content data be- 
tween the leading data of the first block (the block key 
in the block 1 ) and the f i nal block, to execute the encryp- 
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tion process. 

[0509] Thus, in the process for downloading data of 
the format type 2, the content data are read out at step 
S1 51 , and the intermediate integrity check value is gen- 
5 erated based on the integrity check values A and B and 
the read-out content data at step S152. In this regard, 
the content data are not decrypted even if they have 
been encrypted. 

[0510] For the format type 2, the processes for de- 
10 crypting the block data and collating the content integrity 
check values are omitted contrary to the previously de- 
scribed process for the format type 0 or 1 , thereby in- 
creasing the processing speed. 

[0511] The processing at step S111 and subsequent 
15 steps is similar to that for the format type 0 or 1 , so de- 
scription thereof is omitted. 

[0512] How the process for downloading content data 
of the format type 2 is carried out has been described. 
As described above, the process for downloading data 

20 of the format type 2 omits the processes for decrypting 
the block data and collating the content integrity check 
values contrary to the process for the format type O or 
1 , thereby increasing the processing speed; this format 
is thus suitable for processing of music data or the like 

25 which must be executed in real time. 

[0513] Next, the process for downloading content da- 
ta of format type 3 will be described with reference to 
Fig. 41 . The following description will focus on differenc- 
es from the above described download process for the 

30 format types 0, 1 , and 2. 

[051 4] Steps S1 01 to S1 05 are similar to those of the 
above described download process for the format types 
0,1, and 2. 

[0515] The process for the format type 3 essentially 

35 has many characteristics in common with that for the 
format type 2, but differs therefrom in that the format 
type 3 has no content key in that the block key Kblc is 
stored in the recording device after encryption with the 
storage key Kstr. 

40 [0516] The following description will focus on the dif- 
ferences between the download process for the format 
type 3 and that for the format type 2. With the format 
type 3, at step S1 61 , following step S1 05, the block in- 
formation table key is decrypted. The control section 

45 306 of the recording and reproducing device cryptogra- 
phy process section 302 uses the encryption/decryption 
section 308 of the recording and reproducing device 
cryptography process section 302 as well as the distri- 
bution key Kdis generated at step S105 to decrypt the 

50 block information table key Kbit stored in the header 
section of the data obtained from the medium 500 via 
the read section 304 or received from the communica- 
tion means 600 via the communication section 305. With 
the format type 3, data contains no content key Kcon, 

55 so that the process for decrypting the content key Kcon 
is not executed. 

[0517] At the next step S1 07, the block information ta- 
ble key Kbit decrypted at step S161 is used to decrypt 
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the block information table, and at step S 1 62, the control 
section 306 of the recording and reproducing device 
cryptography process section 302 generates integrity 
check value B(ICVb') from the block information table 
key Kbit and block information table (BIT). The integrity 5 
check value B is generated by using as a key the integ- 
rity-check-value-B-generating key Kicvb stored in the 
internal memory 307 of the recording and reproducing 
device cryptography process section 302, to encrypt the 
exclusive-ORed value comprising the block information 
table key Kbit and block information table (BIT), based 
on the DES. Next, at step S1 09, the integrity check value 
B and the ICVb in the header are compared together, 
and if they are equal, the process proceeds to step 
S151. 

[0518] Withtheformattype3,thecheckvalueB, ICVb 
functions to verify that the block information tabie key 
Kbit and the block information table have not been tam- 
pered. If the integrity check value B generated equals 
the check value: ICVb stored in the header, it is deter- 
mined that the block information table key Kbit and the 
block information table have not been tampered. 
[0519] Steps S1 51 to S112 are similar to those of the 
process for the format type 2, and description thereof is 
omitted. 

[0520] At step S163, the block key Kblc contained in 
the content data read out at step S1 51 is decrypted with 
the distribution key Kdis generated at step S105. 
[0521] Then at step S164, the recording and repro- 
ducing device cryptography process section 302 of the 
recording and reproducing device 300 causes the en- 
cryption/decryption section 308 of the recording and re- 
producing device cryptography process section 302 to 
encrypt the block information key Kbit decrypted at step 
S161 and the block key Kblock decrypted at step S163, 
using the session key Kses made sharable during the 
mutual authentication. The control section 301 of the re- 
cording and reproducing device 300 reads the block in- 
formation table key Kbit and the block key Kblc out from 
the recording and reproducing device cryptography 
process section 302 of the recording and reproducing 
device 300 and then transmits these data to the record- 
ing device 400 via the recording device controller 303 
of the recording and reproducing device 300. 
[0522] Then at step SI 65, on receiving the block in- 
formation table key Kbit and the block key Kblc trans- 
mitted from the recording and reproducing device 300, 
the recording device 400 causes the encryption/decryp- 
tion section 406 of the recording device cryptography 
process section 401 to decrypt the received data with 
the session key Kses made sharable during the mutual 
authentication and to then reencryptthe decrypted data 
using the storage key Kstr unique to the recording de- 
vice which is stored in the internal memory 405 of the 
recording device cryptography process 401 .The control 
section 301 of the recording and reproducing device 300 
reads the block information table key Kbit and the block 
key Kblc reencryted by a storage key Kstr from the re- 



cording device 400 via the recording device controller 
of the recording and reproducing device 300. That is, 
the block information table key Kbit and block key Kblc 
initially encrypted with the distribution key Kdis are re- 
placed with the block information table key Kbit and 
block key Kblc reencrypted with the storage key Kstr. 
[0523] The subsequent steps S119 to S122 are simi- 
lar to those for the format types 0, 1 , and 2, so descrip- 
tion thereof is omitted. 

[0524] The aspect of the process for downloading 
content data of the format type 3 has been described. 
As described above, the download process for the for- 
mat type 3 omits the decryption of the block data and 
the process for collating the content integrity check val- 
ue as for the format type 2, thereby enabling prompt 
processing; the format type 3 is thus suitable for 
processing data such as music data which requires rcsl- 
tile processing. In addition, since the range within which 
the encrypted content is protected is localized by the 
block key Kblc, advanced security is achieved com- 
pared to the format type 2. 

[0525] Next, processes for reproducing data of each 
of the format types 0 to 3 from the recording device 400 
of the recording and reproducing device 300 will be ex- 
plained with reference to the flow charts in Figs. 42 to 45. 
[0526] First, a process for reproducing a content of 
the format type 0 will be explained with reference to Fig. 
42. 

[0527] Step S201 corresponds to an authentication 
process between the recording and reproducing device 
and the recording device and is executed in accordance 
with the authentication process flow previously de- 
scribed in Fig. 20. 

[0528] Once the authentication process at step S201 
has been completed to set the authentication flag, at 
step S202, the recording and reproducing device 300 
reads the header of data of a predetermined format out 
from the recording device 400 and transmits it to the re- 
cording and reproducing device cryptography process 
section 302 of the recording and reproducing device 
300. 

[0529] Then at step S203, the control section 306 of 
the recording and reproducing device cryptography 
process section 302 causes the encryption/decryption 
section 308 of the recording and reproducing device 
cryptography process section 302 to calculate the integ- 
rity check value A. The integrity check value A is calcu- 
lated using as a key the integrity-check- value- A -gener- 
ating key Kicva stored in the internal memory 307 of the 
recording and reproducing device cryptography process 
section 302 and using the content ID and the usage pol- 
icy as a message, as shown in the previously described 
Fig. 23. Then., the integrity check value A and'the check 
value: ICVa stored in the header are compared together 
at step S204, and if they are equal, the process pro- 
ceeds to step S205. 

[0530] The check value A, ICVa is used to verify that 
the content ID and the usage policy have not been tam- 
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pered. If the calculated integrity check value A equals 
the check value: ICVa stored In the header, it is deter- 
mined that the content ID and the usage policy have not 
been tampered. 

[0531] Then at step S205, the control section 301 of 
the recording and reproducing device 300 takes out, 
from the read-out header section, the block information 
table key Kbit and content key Kcon encrypted with the 
storage key Kstr unique to the recording device and then 
transmits them to the recording device 400 via the re- 
cording device controller 303 of the recording and re- 
producing device 300. 

[0532] On receiving the block information table key 
Kbit and the content key Kcon transmitted from the re- 
cording and reproducing device 300, the recording de- 
vice 400 causes the encryption/decryption section 406 
of the recording device cryptography process section 
401 to decrypt the received data with the storage key 
Kstr unique to the recording device which is stored in 
the internal memory 405 of the recording device cryp- 
tography process and to then reencrypt the decrypted 
data using the session key Kses made sharable during 
the mutual authentication. This process is as previously 
described in detail in (9) Key Exchange Process after 
Mutual Authentication. 

[0533] At step S206, the control section 301 of the re- 
cording and reproducing device 300 receives the block 
information table key Kbit and content key Kcon reen- 
crypted with the session key Kses, from the recording 
device 400 via the recording device controller 303 of the 
recording and reproducing device 300. 
[0534] Then at step S207, the control section 301 of 
the recording and reproducing device 300 transmits the 
received block information table key Kbit and content 
key Kcon which are reencrypted with the session key 
Kses, to the recording and reproducing device cryptog- 
raphy process section 302 of the recording and repro- 
ducing device 300. On receiving the block information 
table key Kbit and content key Kcon reencrypted with 
the session key Kses the content block, the cryptogra- 
phy process section 302 of the recording and reproduc- 
ing device 300 causes the encryption/decryption section 
308 of the recording and reproducing device cryptogra- 
phy process section 302 to decrypt these keys Kbit and 
Kcon with the session key Kses made sharable during 
the mutual authentication. 

[0535] Further at step S208, the decrypted block in- 
formation table key Kbit is used to decrypt the block in- 
formation read out at step S202. The recording and re- 
producing device cryptography process section 302 of 
the recording and reproducing device 300 replaces the 
decrypted block information table key Kbit, content key 
Kcon, and block information table BIT with the block in- 
formation table key Kbit, content key Kcon, and block 
information table BIT contained in the header read out 
at step S202, to hold the latter. Additionally, the control 
section 301 of the recording and reproducing device 300 
reads the decrypted block information table BIT out from 
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the recording and reproducing device cryptography 
process section 302 of the recording and reproducing 
device 300. 

[0536] Further, at step 5209, the control section 306 
s of the recording and reproducing device cryptography 
process section 302 generates the integrity check value 
B(ICVb') from the block information table key Kbit, the 
content key Kcon, and the block information table (BIT). 
The integrity check value B is generated, as shown in 
10 Fig. 24, by using as a key the integrity-check-value-B- 
generating key Kicvb stored in the internal memory 307 
of the recording and reproducing device cryptography 
process section 302, to decrypt the exclusive-ORed val- 
ue comprising the block information table key Kbit, the 
is content key Kcon, and the block information table (BIT), 
based on the DES. Then at step S210, the integrity 
check value B and the ICVb in the header are compared 
together, and if they are equal, the process proceeds to 
step S211. 

20 [0537] The check value B, ICVb is used to verify that 
the block information table key Kbit, the content key 
Kcon, and the block information table have not been 
tampered. If the integrity check value B generated 
equals the check value: ICVb stored in the header, it is 

25 determined, that the block information table key Kbit, the 
content key Kcon, and the block information table stored 
in the recording device 400 have not been tampered. 
[0538] At step S21 1 , the control section 306 of the re- 
cording and reproducing device cryptography process 

30 section 302 causes the encryption/decryption section 
308 of the recording and reproducing device cryptogra- 
phy process section 302 to calculate the intermediate 
integrity check value. The intermediate value is calcu- 
lated in accordance with the ICV calculation method de- 

35 scribed in Fig. 7, using as a key the total -integrity-check- 
value generating key Kicvt stored in the internal memory 
307 of the recording and reproducing device cryptogra- 
phy process section 302 and using the integrity check 
values A and B in the verified header and all the content 

40 integrity check values in the block information table as 
a message as shown in Fig. 25. In this regard, the inter- 
mediate integrity check value generated is stored in the 
recording and reproducing device cryptography process 
section 302 of the recording and reproducing device 300 

45 as required. 

[0539] Next, at step S212, the control section 301 of 
the recording and reproducing device 300 takes the lo- 
calization field out from the usage policy contained in 
the header section of the data read from the external 

50 memory 402 of the recording device 400 to determine 
whether the content to be reproduced can be used only 
by this recording and reproducing device 300 (in this 
case, the localization field is set to 1) or also by other 
similar recording and reproducing devices 300 (in this 

55 case, the localization field is set to 0). If the result of the 
determination shows that the localization field is set to 
1, that is, the reproduced content can be used only by 
this recording and reproducing device 300, the process 



EP1 195 734 A1 



56 



BNSDOCID: <EP 1 195734A1_I_> 



* 111 



EP1 195 734 A1 



112 



proceeds to step S213. If the localization field is set to 
0, that is, the reproduced content can also be used by 
other similar recording and reproducing devices 300, 
the process proceeds to step S215. The processing at 
step S211 may be executed by the cryptography proc- 
ess section 302. 

[0540] At step S213, thecontrol section 301 of the re- 
cording and reproducing device 300 causes the record- 
ing and reproducing device cryptography process sec- 
tion 302 of the recording and reproducing device 300 to 
calculate the integrity check value ICVdev 1 unique to the 
recording and reproducing device. The integrity check 
value ICVdev' unique to the recording and reproducing 
device is generated, as shown in Fig. 25, by using as a 
key a recording and reproducing device signature key 
Kdev stored in the internal memory 307 of the recording 
and reproducing device cryptography process section 
302, to decrypt the intermediate integrity check value 
based on the DES, the intermediate integrity check val- 
ue being held at step S58. 

[0541] Then at step S214, the integrity check value 
ICVdev 1 unique to the recording and reproducing device 
calculated at step S213 and the ICVdev in the header 
read out at step S202 are compared together, and if they 
are equal, the process proceeds to step S217. 
[0542] On the other hand, at step S215, the control 
section 306 of the recording and reproducing device 
cryptography process section 302 causes the encryp- 
tion/decryption section 308 of the recording and repro- 
ducing device cryptography process section 302 to cal- 
culate the total integrity check value ICVt. The total in- 
tegrity check value ICVt' is generated by using as a key 
the system signature key Ksys stored in the internal 
memory 307 of the recording and reproducing device 
cryptography process section 302, to decrypt the inter- 
mediate integrity check value based on the DES, as 
shown in Fig. 25. Then at step S216, the total integrity 
check value ICVt 1 generated and the ICVt in the header 
are compared together, and if they are equal, the proc- 
ess proceeds to step S217. 

[0543] The total integrity check value ICVt and the in- 
tegrity check value ICVdev unique to the recording and 
reproducing device are used to verify that all of the in- 
tegrity check values ICVa and ICVb and the integrity 
check value for each content block have not been tam- 
pered. Thus, if the total integrity check value generated 
by means of the above described process equals the 
integrity check value: ICVt or ICVdev stored in the head- 
er, it is determined that all of the integrity check values 
for each content block have not been tampered. 
[0544] Next, at step S217, the control section 301 of 
the recording and reproducing device 300 reads the 
block data out from the recording device 400. Further- 
more, at step S218, it is determined whether or not the 
data have been encrypted, and if the data have been 
encrypted, the cryptography process section 302 of the 
recording and reproducing device 300 decrypts the 
block data. If the data have not been encrypted, the 



process skips step S219 and advances to step S220. 
[0545] Then at step S220, the control section 301 of 
the recording and reproducing device'300 checks 
whether any content block is to be verified, based on the 

5 content block information table in the block information 
table (BIT). If any content block is to be verified, the con- 
tent integrity check value has been stored in the block 
information in the header. In this case, the content in- 
tegrity check value ICVi for this content block is calcu- 

10 lated at step S221 . If no content block is to be verified, 
the process skips steps S221 and S222 to advance to 
step S223. 

[0546] If the block has been encrypted as previously 
described in Fig. 36, the content integrity check value 

15 ICVi' is generated by decrypting the input content block 
with the content key Kcon in the DES CBC mode, ex- 
ciusive-ORing ail of the result every 8 bytes to generate 
the content intermediate value, and then encrypting the 
obtained value with the content-integrity-check-value- 

20 generating key Kicvc stored in the internal memory 307 
of the recording and reproducing device 300. Addition- 
ally, if the block has not been encrypted, the content in- 
tegrity check value is generated by sequentially input- 
ting the entire data (plain text) to the tamper-check-val- 

25 ue-generating function shown in Fig. 36 
(DES-CBC-MAC using the content-integrity-check-val- 
ue-generating key Kicvc) in such a manner that 8 bytes 
are input each time. 

[0547] At step S222, the control section 306 of the re- 

30 cording and reproducing device cryptography process 
section 302 compares the generated content integrity 
check value ICVi' with the ICVi stored in the content 
block received from the recording device 400 at step 
S202, and passes the result to the control section 301 

35 of the recording and reproducing device 300. On receiv- 
ing the result and if the verification has been successful, 
the content plain data for execution (reproduction) on 
the RAM of the recording and reproducing device sys- 
tem at step S223. The control section 301 of the record- 

40 ing and reproducing device 300 takes out the next con- 
tent block to be verified and causes the recording and 
reproducing device cryptography process section 302 
of the recording and reproducing device 300 to verify 
this content block. Similar verification processes and 

45 RAM storage processes are repeated until all the con- 
tent blocks are verified (step S224). 
[0548] If the check values do not match at any of steps 
S204, S210, S214, S216, and S222, an error occurs to 
end the reproduction process. 

50 [0549] When it is determined at step S224 that all the 
blocks have been read out, the process proceeds to step 
S225 to start executing and reproducing the content 
(program or data). 

[0550] The aspect of the process for reproducing con- 
55 tent data of the format type 0 has been explained. 

[0551 ] Next, the process for downloading content da- 
ta of the format type 1 will be explained with reference 
to Fig. 43. The following description will focus on differ- 
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ences from the above described download process for 
the format type 0. 

[0552] The processing from steps S201 to S217 is 
similar to that in the above described download process 
for the format type 0, so description thereof is omitted. 
[0553] For the format type 1 , at step S231 , encrypted 
parts are decrypted to generate a part ICV. Further at 
step S232, the block ICVi' is generated. As previously 
described, with the format type 1 , if at least one of the 
parts in a block contains data to be verified with the in- 
tegrity check value ICVi, the content integrity check val- 
ue ICVi is defined for this block. If the part j has been 
encrypted, an integrity check value P-ICVij for a part j of 
a block i is generated by exclusive-ORing the entire 
plain text (decrypted-text) every 8 bytes and decrypting 
the obtained value with the content-integrity-check-val- 
ue-generating key Kicvc. Additionally, if the part j has 
not been encrypted, the integrity check value P-ICVij is 
generated by sequentially inputting the entire data (plain 
text) to the tamper-check-value-generating function 
shown in Fig. 36 (DES-CBC-MAC using the content-in- 
tegrity-check-value-generating key Kicvc) in such a 
manner that 8 bytes are input each time. 
[0554] Further, if the block i contains only one part 
having [ICV flag = subject of ICV] indicating that it is to 
be checked, the integrity check value P-ICVij generated 
using the above method is directly used as the block 
integrity check value ICVi. If the* block i contains a plu- 
rality of parts having [ICV flag = subject of ICV] indicating 
that they are to be checked, the integrity check value 
P-ICVij is generated by connecting a plurality of parts 
integrity check values P-ICVij together in accordance 
with part numbers to obtain data and sequentially input- 
ting the entire data (plain text) to the tamper-check-val- 
ue-generating function shown in Fig. 36 
(DES-CBC-MAC using the content-integrity-check-val- 
ue-generating key Kicvc) in such a manner that 8 bytes 
are input each time. This is the same as explained in 
Fig. 37. 

[0555] For the format type 1 , the content integrity 
check value generated by means of the above de- 
scribed procedure undergoes comparison at step S222. 
Processing at the next step S223 and the subsequent 
steps is similar to that for the format type 0, so descrip- 
tion thereof is omitted. 

[0556] Next, the process for reproducing content data 
of the format type 2 will be explained with reference to 
Fig. 44. The following description will focus on differenc- 
es from the above described reproduction processes for 
the format types 0 and 2. 

[0557]* Steps S201 to S210 is similar to that in the 
above described reproduction processes for the format 
types 0 and 1 , so description thereof is omitted. 
[0558] For the format type 2, the processing at steps 
S211 to S216, which is executed for the format types 0 
and 1 , is not executed. In addition, the format type 2 has 
no content integrity check value, so that verification of 
the content integrity check value, which is executed for 



the format types 0 and 1 , is not executed. 
[0559] In the data reproduction process for the format 
type 2, after step S210 for verifying the integrity check 
value B, the process proceeds to step S217 where the 
5 block data are read out under the control of the control 
section 301 of the recording and reproducing device 
300. Further, at step S241 , the cryptography process 
section 306 of the recording and reproducing device 300 
decrypts the block key Kblc contained in the block data. 
10 The block key Kblc stored in the recording device 400 
has been encrypted with the content key Kcon as shown 
in Fig. 34 and is thus decrypted with the content key 
Kcon decrypted at the previous step S207. 
[0560] Then at step S242, the block key Kblc decrypt- 
15 ed at step S241 is used to decrypt the block data. Fur- 
thermore, at step S243, the content (program or data) 
is* executed and reproduced. The processing from steps 
S217 to S243 is repeated for all the blocks. When it is 
determined at step S244 that all the blocks have been 
20 read out, the reproduction process is ended. 

[0561 ] As described above, the process for the format 
type 2 omits the process for verifying the integrity check 
value such as the total integrity check value. It thus pro- 
vides a configuration suitable for executing the decryp- 
ts tion process at a high speed and a format suitable for 
processing data such as music data which requires real- 
time processing. 

[0562] Next, the process for reproducing content data 
of format type 3 will be described with reference to Fig. 
30 45. The following description will focus on differences 
from the above described reproduction process for the 
format types 0,1, and 2. 

[0563] The process for the format type 3 essentially 
has many characteristics in common with that for the 

35 format type 2, but differs therefrom in that, as described 
in Fig. 35, the format type 3 has no content key in that 
the block key Kblc is stored in the recording device after 
encryption with the storage key Kstr. 
[0564] Between steps S201 and S21 0, processing at 

40 steps S251 , S252, S253, and S254 is configured to omit 
the use of the content key contrary to the corresponding 
processing for the formats 0, 1 , and 2. 
[0565] At step S251 , the control section 301 of the re- 
cording and reproducing device 300 takes out, from the 

45 read-out header, the block information table key Kbit en- 
crypted with the storage key Kstr unique to the recording 
device and then transmits this key to the recording de- 
vice 400 via the recording device controller 303 of the 
recording and reproducing device 300. 

so [0566] On receiving the block information table key 
Kbit transmitted from the recording and reproducing de- 
vice 300, the recording device 400 causes the encryp- 
tion/decryption section 406 of the recording device cryp- 
tography process section 401 to decrypt the received 

55 data with the storage key Kstr unique to the recording 
device which is stored in the internal memory 405 of the 
recording device cryptography process section 401 and 
to then reencrypt the decrypted data using the session 
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key Kses made sharable during the mutual authentica- 
tion. This process is as previously described in detail in 
(9) Key Exchange Process after Mutual Authentication. 
[0567] At step S252, the control section 301 of the re- 
cording and reproducing device 300 receives the block 
information table key Kbit reencrypted with the session 
key Kses, from the recording device 400 via the record- 
ing device controller 303 of the recording and reproduc- 
ing device 300. 

[0568] Then at step S253, the control section 301 of 
the recording and reproducing device 300 transmits the 
received block information table key Kbit reencrypted 
with the session key Kses, to the recording and repro- 
ducing device cryptography process section 302 of the 
recording and reproducing device 300. On receiving the 
block information table key Kbit reencrypted with the 
session key Kses the content block, the recording and 
reproducing device cryptography process section 302 
of the recording and reproducing device 300 causes the 
encryption/decryption section 308 of the recording and 
reproducing device cryptography process section 302 
to decrypt this block information table key Kbit with the 
session key Kses made sharable during the mutual au- 
thentication. 

[0569] Further at step S208, the decrypted block in- 
formation table key Kbit is used to decrypt the block in- 
formation read out at step S202. The recording and re- 
producing device cryptography process section 302 of 
the recording and reproducing device 300 replaces the 
decrypted block information table key Kbit and block in- 
formation table BIT with the block information table key 
Kbit and block information table BIT contained in the 
header read out at step S202, to hold the latter. Addi- 
tionally, the control section 301 of the recording and re- 
producing device 300 reads the decrypted block infor- 
mation table BIT out from the recording and reproducing 
device cryptography process section 302 of the record- 
ing and reproducing device 300. 

[0570] Further, at step S254, the control section 306 
of the recording and reproducing device cryptography 
process section 302 generates the integrity check value 
B(ICVb') from the block information table key Kbit and 
the block information table (BIT). The integrity check val- 
ue B is generated, as shown in Fig. 24, by using as a 
key the integrity-check-value-B-generating key Kicvb 
stored in the internal memory 307 of the recording and 
reproducing device cryptography process section 302, 
to decrypt the exclusive-ORed value comprising the 
block information table key Kbit and the block informa- 
tion table (BIT), based on the DES. Then at step S210, 
the integrity check value B and the ICVb in the header 
are compared together, and if they are equal, the proc- 
ess proceeds to step S211. 

[0571] With the format type 3, the block key is further 
encrypted with the storage key when stored in the re- 
cording device, thereby requiring the recording device 
400 to execute a decryption processes with the storage 
key and the session key Kses and also requiring the re- 



cording and reproducing device 300 to execute a de- 
cryption process with the session key. This series of 
steps correspond to the process steps shown as steps 
S255 and S256. 

5 [0572] At step S255, the control section 301 of the re- 
cording and reproducing device 300 takes out, from the 
read-out header, the block key Kblc encrypted with the 
storage key Kstr unique to the recording device which 
has been read out at step S21 7 and then transmits this 

10 key to the recording device 400 via the recording device 
controller 303 of the recording and reproducing device 
300. 

[0573] On receiving the block key Kblc transmitted 
from the recording and reproducing device 300, the re- 

is cording device 400 causes the encryption/decryption 
section 406 of the recording device cryptography proc- 
ess section 401 to decrypt the received data with the 
storage key Kstr unique to the recording device which 
is stored in the internal memory 405 of the recording de- 

20 vice cryptography process section 401 and to then reen- 
crypt the decrypted data using the session key Kses 
made sharable during the mutual authentication. This 
process is as previously described in detail in (9) Key 
Exchange Process after Mutual Authentication. 

25 [0574] At step S256, the control section 301 of the re- 
cording and reproducing device 300 receives the block 
key Kblc reencrypted with the session key Kses, from 
the recording device 400 via the recording device con- 
troller 303 of the recording and reproducing device 300. 

30 [0575] Then, at step S257, the cryptography process 
section 306 of the recording and reproducing device 300 
decrypts the block key Kblc using the session key Kses. 
[0576] Then at step S242, the block key Kblc decrypt- 
ed at step S257 is used to decrypt the block data. Fur- 

35 thermore, at step S243, the content (program or data) 
is executed and reproduced. The processing from steps 
S217 to S243 is repeated for all the blocks. When it is 
determined at step S244 that all the blocks have been 
read out, the reproduction process is ended. 

40 [0577] The process for reproducing a content of the 
format type 3 has been described. The format type 3 is 
similar to the format type 2 in that the process for veri- 
fying the total integrity check value is omitted, but pro- 
vides a processing configuration with a higher security 

45 level due to the inclusion of the process for exchanging 
the block key. 

(1 1 ) Process Executed by Content Provider to Generate 
Integrity Check Value (ICV) 

50 

[0578] In the above described embodiments, the ver- 
ification processes with the various integrity check val- 
ues ICV are executed during downloading or reproduc- 
tion of a content. Aspects of the process for generating 
55 the integrity check values ICV and the verification proc- 
ess will be described below. 

[0579] First, each of the integrity check value ex- 
plained in the embodiments will be described in brief. 
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The following integrity check values ICV are used in the 
data processing apparatus according to the present in- 
vention. 

[0580] Integrity check value A, ICVa: integrity check 
value for verifying that the content ID and usage policy 5 
in the content data have not been tampered. 
[0581] Integrity check value B : ICVb: integrity check 
value for verifying that the block information table key 
Kbit, the content key Kcon, and the block information 
table have not been tampered. 

[0582] Content integrity check value ICVi: integrity 
check value for verifying that each content block of the 
content has not been tampered. 
[0583] Total integrity check value ICVt: integrity check 
value for verifying that the integrity check value ICVa, 
the integrity check value ICVb, and all the integrity check 
values for the content blocks have not been tampered. 
[0584] Integrity check value ICVdev unique to the re- 
cording and reproducing device: integrity check'value 
that is replaced with the total integrity check value ICVt 
if the localization flag is set to 1 , that is, the content can 
be used only by a particular recording and reproducing 
device and that is generated as an integrity check value 
for the previously described integrity check value A: IC- 
Va. integrity check value B: ICVb, and integrity check 
value ICVi contained in each block of the content to be 
checked. 

[0585] Depending on the format, not the check value 
for each content block but the content itself is checked 
by the integrity check values ICVt and ICVdev. 
[0586] Each of the above integrity check value is used 
in the data processing apparatus according to the 
present invention. Of these integrity check values, the 
integrity check values A and B, the total integrity check 
value, and the content integrity check value are gener- 
ated by a content provider for providing content data or 
a content manager based on data to be verified, as 
shown, for example, in Figs. 32 to 35 and 6 and are 
stored in the data together with the content before being 
provided to a user of the recording and reproducing de- 
vice 300. When downloading or reproducing the content 
to or from the recording device, the user of the recording 
and reproducing device, that is, the content user gener- 
ates verifying ICVs based on each data to be verified, 
to compare them with the stored ICVs. Additionally, the 
integrity check value ICVdev unique to the reproducing 
device is replaced with the total integrity check value 
ICVt and then stored in the recording device if it is shown 
that the content can be used only by this recording and 
reproducing device. 

[0587] In the above described embodiments, the 
processes for generating the integrity check values are 
principally based on the DES-CBC. The present inven- 
tion, however, is not limited to the above described 
method but includes various ICV-generating and - veri- 
fying process aspects. In particular, for the relationship 
between the content provider or manager and the con- 
tent user, the following various ICV-generating and -ver- 



ifying process configurations are possible. 
[0588] Figs. 46 to 48 are views useful in explaining a 
generation process executed by a generator of the in- 
tegrity check value ICV and a verification process exe- 
cuted by a verifier. 

[0589] Fig, 46 shows a configuration wherein, for ex- 
ample, an ICV generator who is a content provider or 
manager executes the process for generating the ICV 
based on the DES-CBC as described in the above em- 
bodiments and then provides the generated ICV to a re- 
cording and reproducing device user, that is, a verifier 
together with the content. In this case, forthe verification 
process, the recording and reproducing device user, 
that is, the verifier requires, for example, the keys stored 
in the internal memory 307 shown in Fig. 1 8, for gener- 
ating the corresponding integrity check values. The ver- 
ifier (recording and reproducing device user) who is the 
content user uses the integrity-check-value-generating 
key stored in the internal memory 307 to apply the 
DES-CBC to data to be verified in order to generate the 
integrity check values and then compares these values 
with stored integrity check values. In this case, each in- 
tegrity-check-value-generating key is configured so as 
to be secretly shared by the ICV creator and the verifier. 
[0590] Fig. 47 shows a configuration wherein the ICV 
creator who is the content provider or manager gener- 
ates ICVs using a digital signature of a public key cryp- 
tosystem and then provides the generated ICVs to the 
content user, that is, the verifier together with the con- 
tent and wherein the content user, that is, the verifier 
stores the public key of the ICV creator and uses this 
key to verify the ICVs. In this case, the public key of the 
ICV creator which is held by the content user (recording 
and reproducing device user), that is, the verifier need 
not be secret, resulting in easier management. This as- 
pect is thus suitable for ICV generation and manage- 
ment executed at a high security management level, for 
example, that executed in one entity. 
[0591] In Fig. 48, the ICV creator who is the content 
provider or manager generates ICVs using a digital sig- 
nature of a public key cryptosystem, then provides the 
generated ICVs to the content user, that is, the verifier 
together with the content, further stores a public key 
used by the verifier for verification, in a public key cer- 
tificate (see, for example : Fig. 14), and then provides 
this key to the recording and reproducing device user, 
that is, the verifier. With a plurality of ICV creators, each 
creator has a key managing center create data (a public 
key certificate) for certifying the validity of the public key. 
[0592] The content user who is the ICV verifier has a 
public key of the key managing center. The verifier ver- 
ifies the public key certificate using the public key of the 
key managing center, and takes out the public key of the 
ICV creator stored in the public key certificate if its va- 
lidity has been ascertained. The verifier further verifies 
the ICVs using the taken-out public key of the ICV cre- 
ator. 

[0593] This method is an aspect useful if a plurality of 
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ICV creators are present and if a center tor managing 
these creators has an established management system. 

(12) Configuration for Generating Cryptography 
Process Keys Based on Master Keys 

[0594] A configuration for generating various cryptog- 
raphy process keys based on the master keys, which 
configuration is characteristic of the present data 
processing system, will be described below. 
[0595] As previously described with reference to Fig. 
18, the internal memory of the recording and reproduc- 
ing device 300 in the present data processing apparatus 
stores the various master keys, each of which is used, 
for example, to generate the authentication key Kate 
(see Equation 3) or the distribution key Kdis (see Equa- 
tion 4). 

[0596] When cryptography communication, mutual 
authentication, MAC generation, verification, or the like 
is carried out between two entities, that is, the content 
provider and the content provider, or the recording and 
reproducing device 300 and the recording device 400 in 
the present data processing apparatus, these entities 
conventionally hold secret information common to them, 
for example, key information. Additionally, when the 
above process is carried out between one and many en- 
tities, for example, one content provider and many con- 
tent users, or one recording and reproducing device and 
many recording media, these entities conventionally 
store and hold secret information common to all the en- 
tities, that is, secret information common to many con- 
tent users or many recording media, or one content pro- 
vider individually manages and uses secret information 
(ex. key) for each of many content users. 
[0597] . With the one-to-many relationship as de- 
scribed above, however, the configuration owning se- 
cret information (key) shared by all the entities is disad- 
vantageous in that leakage of the secret from one entity 
affects all the other entities using the same secret infor- 
mation (ex. key). In addition, when one manager, for ex- 
ample, a content provider individually manages and us- 
es secret information for each content user, a list is re- 
quired which serves to identify all the users and which 
associates this identification data with unique secret in- 
formation (ex. keys), thereby advantageously increas- 
ing list maintaining and managing burdens in proportion 
to the number of users. 

[0598] The data processing apparatus according to 
the present invention has solved such a conventional 
problem with the sharing of secret information between 
entities using a configuration for holding the master keys 
and generating various individual keys therefrom. This 
configuration will be described below. 
[0599] In the data processing apparatus according to 
the present invention, if different individual keys are re- 
quired for various cryptography processes, authentica- 
tion processes, and the like between recording devices, 
media storing contents, or recording and reproducing 



devices, these individual keys are generated using indi- 
vidual information such as identifier data (ID) unique to 
the devices or media and an individual-key generating 
method previously determined in the recording and re- 

5 producing device 300. With this configuration, if any in- 
dividual key generated should be identified, damage to 
the entire system can be precluded by preventing the 
corresponding master key from leaking. In addition, the 
configuration for generating the keys from the master 

10 keys eliminates the needs for the association list. 

[0600] A specific example of configuration will be de- 
scribed with reference to the drawings. Fig. 49 is a view 
useful in explaining the configuration for generating var- 
ious keys using the various master keys held by the re- 

15 cording and reproducing device 300. The medium 500 
and the communication means 600 in Fig. 49 input con- 
tents as in the already described embodiments. The 
content is encrypted by the content key Kcon, which is 
in turn encrypted by the distribution key Kdis. 

20 [0601] For example, if the recording and reproducing 
device 300 attempts to take a content out from the me- 
dium 500 or the communication means 600 and down- 
load it to the recording device 400, the recording and 
reproducing device 300 must obtain the distribution key 

25 Kdis that has encrypted the content key as previously 
described in Figs. 2 and 39 to 41 . Although the key Kdis 
can be directly obtained from the medium 500 or the 
communication means 600 or the recording and repro- 
ducing device 300 can obtain and store it in its memory 

30 beforehand, the configuration for distributing such a key 
to many users may be subjected to leakage, which may 
affect the entire system, as described above. 
[0602] The data processing system according to the 
present invention is configured to generate the distribu- 

35 tion key Kdis by applying a master key MKdis for the 
distribution key stored in the memory of the recording 
and reproducing device 300 as well as a process based 
on the content ID, that is, Kdis = DES (MKdis, content 
ID), as shown in the lower part of Fig. 49. In a content 

40 distributing configuration between a content provider 
providing contents from the medium 500 or the commu- 
nication means 600 and the recording and reproducing 
device 300, which is a content user, despite a large 
number of content providers, this configuration enables 

45 advanced security to be maintained without the need to 
distribute the individual distribution keys Kdis via the 
medium, the communication means, or the like or to 
store them in each recording and reproducing device 
300. 

so [0603] Next, the generation of the authentication key 
Kakae will be explained. In downloading a content from 
the recording and reproducing device 300 to the record- 
ing medium 400 as previously described in Figs. 22 and 
39 to 41 or causing the recording and reproducing de- 

55 vice 300 to execute and reproduce a content stored in 
the recording medium 400 as described in Figs. 42 to 
45, the recording and reproducing device 300 and the 
recording medium 400 must execute the mutual authen- 
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tication process (see Fig. 20). 

[0604] As described in Fig. 20, this authentication 
process requires the recording and reproducing device 
300 to have the authentication key Kake. Although the 
recording and reproducing device 300 can obtain the 
authentication key directly from, for example, the re- 
cording medium 400 or can obtain and store it in its 
memory beforehand, the configuration for distributing 
such a key to many users may be subjected to leakage, 
which may affect the entire system, as in the above de- 
scribed configuration for the distribution key. 
[0605] The data processing system according to the 
present invention is configured to obtain the authentica- 
tion key Kake by applying a master key MKake for the 
distribution key stored in the memory of the recording 
and reproducing device 300 as well as a process based 
on the recording device ID: IDrnem, that is, Kake= DES 
(MKake, IDmem), as shown in the lower part of Fig. 49. 
[0606] Further, in downloading a content from the re- 
cording and reproducing device 300 to the recording 
medium 400 as previously described in Figs. 22 and 39 
to 41 or causing the recording and reproducing device 
300 to execute and reproduce a content stored in the 
recording medium 400 as described in Fig. 28, Figs. 42 
to 45, a configuration similar to that for the distribution 
or authentication key described above can be used for 
the recording and reproducing device signature key 
Kdev required to generate the integrity check value 
ICVdev unique to the recording and reproducing device 
if the content can be used only by a particular recording 
and reproducing device. In the above described embod- 
iments, the recording and reproducing device signature 
key Kdev is stored in the internal memory, but if the mas- 
ter key Mkdevforthe recording and reproducing device 
signature key is stored in the memory whereas the re- 
cording and reproducing device signature key Kdev is 
not stored therein and if the recording and reproducing 
device signature key Kdev is obtained by means of Kdes 
= DES (MKdev, IDdev) based on the recording and re- 
producing device identifier: IDdev and the master key 
MKdev for the recording and reproducing device signa- 
ture key : as required, as shown in the lower part of Fig. 
49, then it advantageously becomes unnecessary for 
each apparatus to have the recording and reproducing 
device signature key Kdev. 

[0607] In this manner, the data processing apparatus 
according to the present invention is configured to se- 
quentially generate from the master keys and each ID, 
information such as a key which is required for the cryp- 
tography information process between two entities such 
as the provider and the recording and reproducing de- 
vice or the recording and reproducing device and the 
recording device. Consequently, even if the key infor- 
mation leaks from each entity, the range of damage in- 
curred by the individual keys is further limited, and it also 
becomes unnecessary to manage key lists for the indi- 
vidual entities as described above. 
[0608] A plurality of examples of processes relating to 



this configuration will be explained by showing a flow. 
Fig. 50 shows examples of a process executed by the 
content producer or manager to decrypt a content or the 
like using a master key and a process executed by a 
s user device, for example, the recording and reproducing 
device 300 in the above described embodiment to de- 
crypt the encrypted data using the master key. 
[0609] At step S501 , a content producer or manager 
imparts an identifier (content identifier) to a content. At 
10 step S502, the content producer or manager generates 
a key for encrypting a content or the like based on its 
owned master key and a content ID. At this step, if the 
distribution key Kdis is to be generated, it is generated 
based on the above described Kdis = DES (MKdis, me- 
15 dium ID). Then at step S503, the content producer or 
manager uses a key (for example, the distribution key 
Kdis) to encrypt part or all of the content stored in the 
medium. The content producer supplies the content en- 
crypted through these steps, via the medium such as a 
20 DVD, the communication means, or the like. 

[061 0] On the other hand, at step S504, a user device 
such as the recording and reproducing device 300 reads 
the content ID from the content data received via the 
medium such as a DVD, the communication means, or 
25 the like. Then at step S505, the user device generates 
a key applied to decryption of the encrypted content 
based on the read-out medium ID and its owned master 
key. If the distribution key Kdis is to be obtained, this 
generation process corresponds to, for example, the 
30 distribution key Kdis = DES (MKdis, medium ID). At step 
S506, the user device uses this key to decrypt the con- 
tent, and at step S507, uses, that is, reproduces the de- 
crypted content or execute the program. 
[0611] In this example, as shown in the lower part of 
35 Fig. 50, both the content producer or manager and the 
user device have the master key (for example, the dis- 
tribution-key-generating master key MKdis). to sequen- 
tially generate the distribution key required to encrypt or 
decrypt the content based on their owned master key 
and each ID (medium ID). 

[0612] With this system, if the distribution key leaks 
to a third person, the third person can decrypt that con- 
tent, but contents stored in other media with different 
content IDs can be prevented from decryption, thereby 

45 minimizing the adverse effects of the leakage of one 
content key on the entire system. Additionally, this sys- 
tem does not require the user device, that is, the record- 
ing and reproducing device to hold a key associating list 
for each medium. 

50 [0613] An example where the content producer or 
manager holds a plurality of master keys to execute a 
process depending on a content distribution destination 
with reference to Fig. 52. 

[0614] Step S511 executed by the content producer 
55 or manager comprises imparting an identifier (content 
ID) to the content. Step S512 comprises selecting one 
of a plurality of master keys (for example, a plurality of 
distribution-key-generating master keys MKdis) held by 
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the content producer or manager. Although described 
in further detail with reference to Fig. 52, this selection 
process comprises setting an applied master key be- 
forehand for each of the countries to which content us- 
ers belong, each apparatus type, or each apparatus ver- 
sion and executing the master keys in accordance with 
the settings. 

[0615] Then at step S513, the content producer or 
manager generates an encryption key based on the 
master key selected at step S512 and the content ID 
determined at step S51 1 . If, for example, the distribution 
key Kdis is to be generated, it is generated based on the 
above described Kdis = DES (MKdis, medium ID). Then 
at step S514, the content producer or manager uses a 
key (for example, the distribution key Kdisi) to encrypt 
part or all of the content stored in. the medium. At step 
5515, the content producer distributes the encrypted 
content via the medium such as a DVD, the communi- 
cation means, or the like, using a distribution unit com- 
prising the content ID, the master-key-generating infor- 
mation used, and the encrypted content. 
[0616] On the other hand, at step S51 6, for example, 
the user device such as a recording and reproducing 
device 300 determines whether or not its holds the mas- 
ter key corresponding the master key ID in the content 
data distributed by the medium such as a DVD or by the 
communication means. If it does not have the master 
key corresponding to the master key ID in the content 
data, the distributed content cannot be used by this user 
device and the process is ended. 
[0617] If the user device has the master key corre- 
sponding to the master key ID in the content data, then 
at step S51 7, it reads the content ID out from the content 
data received via the medium, the communication 
means, or the like. Then at step S518, the user device 
generates a key applied to decryption of the encrypted 
content based on the read-out content ID and its held 
master key. This process is a distribution-key Kdisi = 
DES (Mkdisi, contents ID) if it intends to get a distribution 
key Kdisi. At step S519 contents are decrypted by 
means of the key. At step S520 decrypted contents are 
used, that is, reproduction or program is performed. 
[0618] In this example, as shown in the lower part of 
Fig. 51 , the content producer or manager has a master 
key set comprising a plurality of master keys, for exam- 
ple, distribution-key-generating master keys MKdis 1 to 
n. On the other hand, the user device has one master 
key, for example, one distribution-key-generating mas- 
ter key KKdisi so that it can decrypt the content only 
when the content producer or manager has used the key 
KKdisi for the encryption. 

[0619] Fig. 52 shows an example where master keys 
varying depending on the country is applied, as a spe- 
cific example of the aspect shown in the flow in Fig. 51 . 
The content provider has master keys MK1 to n, of which 
the key MK1 is used to generate keys for encrypting con- 
tents distributed to user devices for Japan. For example, 
an encryption key K1 is generated from a content ID and 



the key MK1 and then user to encrypt a content. The 
master keys MK1 to n are further set such that the key 
MK2 is used to generate keys for encrypting contents 
distributed to user devices for the U.S., and the key MK3 

5 is used to generate keys for encrypting contents distrib- 
uted to user devices for the EU (Europe). 
[0620] On the other hand, for user devices for Japan, 
specifically, recording and reproducing devices such as 
PCs or game apparatuses which are sold in Japan, the 

10 master key MK1 is stored in their internal memories, for 
user devices for the U.S., the master key MK2 is stored 
in their internal memories, and for user devices for the 
EU, the master key MK3 is stored in their internal mem- 
ories. 

15 [0621] With this configuration, the content provider 
selectively uses one of the master keys MK1 to n de- 
pending op. user devices that can use a content, in order 
to encrypt the content to be distributed to the user de- 
vices. For example, to allow the content to be used only 

20 by the user devices for Japan, the master key K1 gen- 
erated using the master key MK1 is used to encrypt the 
content. This encrypted content can be decrypted using 
the master key MK1 stored in the user devices for Ja- 
pan, that is, allows a decryption key to be generated, 

25 whereas the key K1 cannot be obtained from the master 
keys MK2 and MK3 stored in the user devices for the U. 
S. and EU, respectively, thereby preventing the encrypt- 
ed content from being decrypted. 

[0622] In this manner, the content provider can selec- 
30 tively use a plurality of master keys to set localization 
for various contents. Fig. 52 shows an example where 
the different master keys are used for the different coun- 
tries to which the user devices belong, but various use 
forms are possible; for example, the master key can be 
35 switched depending on the type of the user device or its 
version, as described above. 

[0623] Next, Fig. 53 shows an example of a process 
where an identifier unique to a medium, that is, a medi- 
um ID and a master key are combined together. Here, 

40 the medium refers to, for example, DVDs or CDs in 
which contents are stored. The medium ID may be 
unique to individual media, the titles of contents such as 
movies, or individual medium manufacturing lots. In this 
manner, medium IDs may be assigned in various man- 

45 ners. 

[0624] At step S52, a medium producer or manager 
determines an identifier (medium identifier) for a medi- 
um. At step S522, the medium producer or manager 
generates a key for encrypting a content stored in the 

50 medium based on its owned master key and a medium 
ID. At this step, if, for example, the distribution key Kdis 
is to be generated, it is generated based on the above 
described Kdis = DES (MKdis, medium ID). Then at step 
S523, the medium producer or manager uses a key (for 

55 example, the distribution key Kdis) to encrypt part or ail 
of the content stored in the medium. The medium pro- 
ducer supplies the medium storing the content encrypt- 
ed through these steps. 
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[0625] On the other hand, at step S524, a user device 
such as the recording and reproducing device 300 reads 
the medium ID from the supplied medium. Then at step 
S525, the user device generates a key applied to de- 
cryption of the encrypted content based on the read-out 5 
medium ID and its owned master key. If the distribution 
key Kdis is to be obtained, this generation process cor- 
responds to, for example, the distribution key Kdis = 
DES (MKdis, medium ID). At step S526, the user device 
uses this key to decrypt the content, and at step S527, 
uses, that is, reproduces the decrypted content or exe- 
cute the program. 

[0626] In this example, as shown in the lower part of 
Fig. 53, both the medium producer or manager and the 
user device have the master key (for example, the dis- 
tribution-key-generating master key MKdis) to sequen- 
tially generate the distribution key required to encrypt or 
decrypt the content based on their owned master key 
and each ID (medium ID). 

[0627] With this system, if any medium key leaks to a 
third person, the third person can decrypt the content in 
the medium, but contents stored in other media with dif- 
ferent medium IDs can be prevented from decryption, 
thereby minimizing the adverse effects of the leakage 
of one medium key on the entire system. Additionally, 
this system does not require the user device, that is, the 
recording and reproducing device to hold a key associ- 
ating list for each medium. Further, the size of a content 
encrypted with one medium key is limited to a capacity 
that can be stored within that medium, so that there is 
a slim possibility that the content reaches the amount of 
information required to attack the encrypted text, there- 
by reducing the possibility of decrypting the encrypted 
text. 

[0628] Next, Fig. 54 shows an example of a process 
where an identifier unique to the recording and repro- 
ducing device, that is, a recording and reproducing de- 
vice ID and a master key are combined together. 
[0629] At step S531 , a recording and reproducing de- 
vice user generates a key for encrypting a content or the 
like based on a master key and a recording and repro- 
ducing device ID stored, for example, in the internal 
memory of the recording and reproducing device. If, for 
example, the content key Kcon is to be obtained, this 
generation process corresponds to Kcon = DES (MK- 
con, recording and reproducing device ID). Then at step 
S532, the user uses a key (form example, the distribu- 
tion key Kcon) to decrypt the content. At step S533, the 
user stores the encrypted content in the recording and 
reproducing device such as a hard disk. 
[0630] On the other hand, when the recording and re- 
producing device user that has stored the content re- 
quests the stored data to be recovered, a system man- 
ager for managing the recording and reproducing device 
reads a recording and reproducing device ID from the 
recording and reproducing device. Then at step S535, 
the system manager generates a key applied to recov- 
ery of the encrypted content based on the read-out re- 



cording and reproducing device ID and its owned master 
key. If the content key Kcon is to be obtained, this gen- 
eration process corresponds to. for example, the con- 
tent key Kcon = DES (MKcon, recording and reproduc- 
ing device ID). At step S536, the user device uses this 
key to decrypt the content. 

[0631] In this example, as shown in the lower part of 
Fig. 54, both the recording and reproducing device user 
and the system manager have the master key (for ex- 
ample, the content-key-generating master key MKcon) 
to sequentially generate the distribution key required to 
encrypt or decrypt the content based on their owned 
master key and each ID (recording and reproducing de- 
vice ID). 

[0632] With this system, if the content key leaks to a 
third person, the third person can decrypt that content, 
but contents stored in other media with different record- 
ing and reproducing device IDs can be prevented from 
decryption, thereby minimizing the adverse effects of 
the leakage of one content key on the entire system. 
Additionally, this system does not require the system 
manager or the user device to hold a key associating 
list for each medium. 

[0633] Fig. 55 shows a configuration wherein an au- 
thentication key used for a mutual authentication proc- 
ess between a slave device, for example, the recording 
and reproducing device such as a memory card and a 
host device, for example, the recording and reproducing 
device is generated based on a master key. Although in 
the previously described authentication process (see 
Fig. 20), the authentication key is stored in the internal 
memory of the slave device in advance, it can be gen- 
erated during the authentication process based on the 
master key as shown in Fig. 55. 

[0634] For example, at step S541 , the slave device 
that is the recording device generates, as an initializa- 
tion process before starting the authentication process, 
the authentication key Kake for use in the mutual au- 
thentication process based on the master key and slave 
device ID stored in the internal memory of the slave de- 
vice that is the recording device. The authentication key 
is generated based on Kake = DES (MKake, slave de- 
vice ID). Then at step S542, the generated authentica- 
tion key is stored in the memory. 

[0635] On the other hand, at step S543, the host de- 
vice such as the recording and reproducing device 
reads a slave device ID out from the installed recording 
device, that is, the slave device via the communication 
means. Then at step S544, the host device generates 
a authentication key applied to a mutual authentication 
process based on the read-out slave device ID and its 
owned authentication-key-generating master key. This 
generation process corresponds to, for example, the au- 
thentication key Kake = DES (MKake, slave device ID). 
At step S545, this authentication key is used to execute 
the authentication process. 

[0636] In this example, as shown in the lower part of 
Fig. 55, both the slave device and the master device 
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have the master key, that is, the authentication -key-gen- 
erating master key MKake to sequentially generate the 
distribution key required for the authentication process 
based on their owned master key and the slave device 
ID. 

[0637] With this system, if the authentication key 
leaks to a third person, this authentication key is effec- 
tive only on the corresponding slave device and authen- 
tication is not established with other slave devices, 
thereby minimizing the adverse effects of the leakage 
of the key. 

[0638] As described above, the data processing ap- 
paratus according to the present invention is configured 
so that the information such as the key which is required 
for the procedure for the cryptography information proc- 
ess between the two entities such as the content pro- 
vider and the recording and reproducing device, or the 
recording and reproducing device and the recording de- 
vice. Thus, even if the key information leaks from each 
entity, the range of damage incurred by the individual 
keys is further limited, and it also becomes unnecessary 
to manage key lists for the individual entities as de- 
scribed above. 

(13) Control of Cryptography Intensity in Cryptography 
Process 

[0639] In the above described embodiments, the 
cryptography process between the recording and repro- 
ducing device 300 and the recording device 400 is prin- 
cipally described in conjunction with the example using 
the cryptography process based on the single DES con- 
figuration described with reference to Fig. 7. The en- 
cryption process method applied to the present data 
processing apparatus is not limited to the above de- 
scribed Single DES, but any encryption method may be 
employed depending on a required security state. 
[0640] For example, the Triple DES method config- 
ured as shown in the previously described Figs. 8 to 1 0 
is applicable. For example, both the cryptography proc- 
ess section 302 of the recording and reproducing device 
300 and the cryptography process section 401 of the 
recording device 400 shown in Fig. 3 can be configured 
so as to execute the Triple DES method so that a proc- 
ess can be executed which corresponds to the cryptog- 
raphy process based on the Triple DES method de- 
scribed in Figs. 8 to 10. 

[0641] The content provider, however, may give top 
priority to processing speed dependent on the content 
to use a 64-bit content key Kcon based on the Single 
DES method, or gives top priority to security to use a 
128- or 192-bit content key Kcon based on the Triple 
DES method. Accordingly, it is not preferable to config- 
ure the cryptography process section 302 of the record- 
ing and reproducing device 300 and the cryptography 
process section 401 of the recording device 400 so as 
to accommodate only one of the Triple and Single DES 
methods. Therefore, the cryptography process section 



302 of the recording and reproducing device 300 and 
the cryptography process section 401 of the recording 
device 400 are desirably configured so as to accommo- 
date both the Triple and Single DES methods. 

5 [0642] However, to configure the cryptography proc- 
ess section 302 of the recording and reproducing device 
300 and the cryptography process section 401 of the 
recording device 400 so as to execute both the Triple 
and Single DES methods, different circuits and logics 

10 must be configured for these cryptography process sec- 
tions. For example, to allow the recording device 400 to 
execute a process corresponding to the Triple DES, a 
command set for the Triple DES must be stored in the 
command register shown in the above Fig. 29. This may 

15. complicate the process section configured in the record- 
ing device 400. 

[0643] Thus, for the present data processing appara- 
tus, a configuration is proposed wherein the logic of the 
cryptography process section 401 of the recording de- 
20 vice 400 is configured to accommodate the Single DES, 
while executing a process corresponding to the Triple 
DES process to store data (keys, contents, or the like) 
encrypted based on the Triple DES method , in the ex- 
ternal memory 402 of the recording device. 
25 [0644] For example, in the example for the data for- 
mat type 0 shown in Fig. 32, when content data are 
downloaded from the recording and reproducing device 
300 to the recording device 400 , the authentication proc- 
ess is executed at step S1 01 in the previously described 
30 Rg. 39 showing the flow of downloading data of the for- 
mat type 0, and the session key Kses is generated. Fur- 
ther, at step S1 1 7, the cryptography process section 302 
of the recording and reproducing device 300 encrypts 
the content key Kcon with the session key Kses and 
35 transmits the encrypted key to the recording device 400 
via the communication means. At step S118, the cryp- 
tography process section 403 of the recording device 
400, which has received the encrypted key, decrypts the 
content key Kcon with the session key Kses, further en- 
40 crypts it with the storage key Kstr, and transmits the re- 
sulting key to the cryptography process section 302 of 
the recording and reproducing device 300. The record- 
ing and reproducing device 300 subsequently forms a 
data format (step S121) and transmits formatted data to 
45 the recording device 400, and the recording device 400 
stores the received data in the external memory 402. 
[0645] If the cryptography process executed by the 
cryptography process section 401 of the recording de- 
vice 400 between steps S117 and S118 of the above 
so process is configured to selectively execute either the 
Single or Triple DES method, the cryptography process 
section works whether the content provider provides 
content data using the content key Kcon in accordance 
with the Triple DES or the Single DES. 
55 [0646] Fig. 56 shows a flow useful in explaining a con- 
figuration for executing the cryptography process meth- 
od in accordance with the Triple DES method, using 
both the cryptography process section 302 of the re- 
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cording and reproducing device 300 and the cryptogra- 
phy process section 401 of the recording device 400. 
Fig. 56 shows an example of a process for encrypting 
the content key Kcon with the storage key Kstr which 
process is executed in downloading content data from 
the recording and reproducing device 300 to the record- 
ing device 400, wherein the content key Kcon is based 
on the Triple DES method. Here, the example of the 
process for the content key Kcon is shown, but other 
keys or other data such as contents can be similarly 
processed. 

[0647] The Triple DES method uses two or three keys 
in such a manner that a 64-bit key is used for the Single 
DES, while a 128- or 192-bit key is used for the Triple 
DES, as previously described in Figs. 8 to 10. These 
three content keys Kcon are referred to as Kconl, 
Kcon2, and (Kcon3). The Kcon3 is shown in the paren- 
theses because it may not be used. 
[0648] The process in Fig. 56 will be explained. At 
step S301 , the mutual authentication process is carried 
out between the recording and reproducing device 300 
and the recording device 400. This mutual authentica- 
tion process step is executed during the process in the 
previously described Fig. 20. During this authentication 
process, the session key Kses is generated. 
[0649] Once the authentication process at step S301 
has been completed, the integrity check values ICV in- 
cluding the integrity check values A and B, the content 
integrity check value, and the total integrity check value 
are collated. 

[0650] When all the check values (ICV) have been 
collated and it has been determined that no data have 
been tampered, the process proceeds to step S303 
where the control section 306 of the recording and re- 
producing device cryptography process section 302 of 
the recording and reproducing device 300 uses the en- 
cryption/decryption section 308 of the recording and re- 
producing device cryptography process section 302 as 
well as the previously obtained or generated distribution 
key Kdis, to decrypt the content Kcon stored in the head- 
er section of the data obtained from the medium 500 or 
received from the communication means 600 via the 
communication section 305. The content key in this 
case is a triple DES type key, such as content keys 
Kconl , Kcon2, and (Kcon3). 

[0651] Then at step S304, the control section 306 of 
the recording and reproducing device cryptography 
process section 302 causes the encryption/decryption 
section 308 of the recording and reproducing device 
cryptography process section 302 to encrypt only the 
content key Kconl of the content keys Kconl , Kcon2, 
and (Kcon3) decrypted at step S303, using the session 
key Kses made sharable during the mutual authentica- 
tion. 

[0652] The control section 301 of the recording and 
reproducing device 300 reads data containing the con- 
tent key Kconl encrypted with the session key Kses, out 
from the recording and reproducing device cryptogra- 



phy process section 302 of the recording and reproduc- 
ing device 300. The control section 301 then transmits 
these data to the recording device 400 via the recording 
device controller 303 of the recording and reproducing 

5 device 300. 

[0653] Then at step S305, on receiving the content 
key Kconl transmitted from the recording and reproduc- 
ing device 300, the recording device 400 causes the en- 
cryption/decryption section 406 of the recording device 

w cryptography process section 401 to decrypt the re- 
ceived content key Kconl using the session key Kses 
made sharable during the mutual authentication. Fur- 
ther at step S306, the recording device 400 causes the 
encryption/decryption section 406 to reencrypt the de- 

15 crypted content key with the storage key Kstr unique to 
the recording device which is stored in the internal mem- 
ory 405 of the recording device cryptography process, 
and then transmits the reencrypted key to the recording 
and reproducing device 300 via the communication sec- 

20 tion 404. 

[0654] Then at step S307, the control section 306 of 
the recording and reproducing device cryptography 
process section 302 causes the encryption/decryption 
section 308 of the recording and reproducing device 
25 cryptography process section 302 to encrypt only the 
content key Kcon2 of the content keys Kconl , Kcon2, 
and (Kcon3) decrypted at step S303, using the session 
key Kses made sharable during the mutual authentica- 
tion. 

30 [0655] The control section 301 of the recording and 
reproducing device 300 reads data containing the con- 
tent key Kcon2 encrypted with the session key Kses, out 
from the recording and reproducing device cryptogra- 
phy process section 302 of the recording and reproduc- 
es ing device 300. The control section 301 then transmits 
these data to the recording device 400 via the recording 
device controller 303 of the recording and reproducing 
device 300. 

[0656] Then at step S308, on receiving the content 
40 key Kcon2 transmitted from the recording and reproduc- 
ing device 300, the recording device 400 causes the en- 
cryption/decryption section 406 of the recording device 
cryptography process section 401 to decrypt the re- 
ceived content key Kcon2 using the session key Kses 
45 made sharable during the mutual authentication. Fur- 
ther at step S309, the recording device 400 causes the 
encryption/decryption section 406 to reencrypt the de- 
crypted content key with the storage key Kstr unique to 
the recording device which is stored in the internal mem- 
50 ory 405 of the recording device cryptography process 
section 401 , and then transmits the reencrypted key to 
the recording and reproducing device 300 via the com- 
munication section 404. 

[0657] Then at step S310, the control section 306 of 
55 the recording and reproducing device cryptography 
process section 302 causes the encryption/decryption 
section 308 of the recording and reproducing device 
cryptography process section 302 to encrypt only the 
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content key Kcon3 of the content keys Kconl , Kcon2, 
and (Kcon3) decrypted at step S303, using the session 
key Kses made sharable during the mutual authentica- 
tion. 

[0658] The control section 301 of the recording and 
reproducing device 300 reads data containing the con- 
tent key Kcon3 encrypted with the session key Kses, out 
from the recording and reproducing device cryptogra- 
phy process section 302 of the recording and reproduc- 
ing device 300. The control section 301 then transmits 
these data to the recording device 400 via the recording 
device controller 303 of the recording and reproducing 
device 300. 

[0659] Then at step S311, on receiving the content 
key Kcon3 transmitted from the recording and reproduc- 
ing device 300, the recording device 400 causes the en- 
cryption/decryption section 406 of the recording device 
cryptography process section 401 to decrypt the re- 
ceived content key Kcon3 using the session key Kses 
made sharable during the mutual authentication. Fur- 
ther at step S312, the recording device 400 causes the 
encryption/decryption section 406 to reencrypt the de- 
crypted content key with the storage key Kstr unique to 
the recording device which is stored in the internal mem- 
ory 405 of the recording device cryptography process, 
and then transmits the reencrypted key to the recording 
and reproducing device 300 via the communication sec- 
tion 404. 

[0660] Then at step S313, the cryptography process 
section of the recording and reproducing device forms 
the various data formats described in Figs. 32 to 35 and 
transmits them to the recording device 400. 
[0661] Finally, at step S314, the recording device 400 
stores the received formatted data in the external mem- 
ory 402. These format data contain the content keys 
Kconl, Kcon2, and (Kcon3) encrypted with the storage 
key Kstr. 

[0662] This process enables the content keys stored 
in the recording device 400 to be stored as keys based 
on the Triple DES cryptosystem. If only two content keys 
Kconl and Kcon2 are used, the processing from steps 
S310to S312 is omitted. 

[0663] As described above, the recording device 400 
can store the keys with the Triple DES applied thereto 
in the memory by repeating processing of the same as- 
pect, that is, the process steps at steps S305 and S306 
plural times with only the target changed. If the Single 
DES is applied to the content keys Kcon, step S305 and 
S306 may be executed to carry out the formatting proc- 
ess at step S31 3 before storing the keys in the memory. 
Such a'configuration may store commands for execut- 
ing the processing at steps S305 and S306 in the com- 
mand register in the previously described Fig. 29 and 
execute this processing one to three times depending 
on the aspect of the key, that is, whether the key is based 
on the Triple or Single DES method. Accordingly the 
processes based on both the Triple and Single DES 
methods can be executed without containing the Triple 



DES process method in the process logic of the record- 
ing device 400. In this regard, the cryptosystem may be 
recorded in the usage policy in the header section of the 
content data so as to be determined by referencing the 
s usage policy. 

(14) Program Activation Process Based on Activation 
Priority in Usage Policy in Content Data 

10 [0664] As understood from the content data configu- 
rations in the previously described Figs. 4 to 6, the us- 
age policy stored in the header section of the content 
data used in the present data processing apparatus con- 
tains the content type and the' activation priority. With a 

15 plurality of accessible content data recorded in various 
recording media such as the recording device 400, a 
DVD, a CD, a hard disk, or a game cartridge, the record- 
ing and reproducing device 300 in the present data 
processing apparatus determines the order in which 

20 these contents are activated, in accordance with the ac- 
tivation priority. 

[0665] The recording and reproducing device 300 ex- 
ecutes the mutual authentication with various recording 
devices such as each recording device DVD device, CD 

25 drive device, and hard disk drive device and then exe- 
cutes the program in the content data with the top priority 
in accordance with the priority in the content data. The 
"Program Activation Process Based on Activation Prior- 
ity in Usage Policy in Content Data" will be explained 

30 below. 

[0666] The above description of the present data 
processing apparatus focuses on the process executed 
if the recording and reproducing device 300 reproduces 
and executes content data from the one recording de- 

35 vice 400. However, the recording and reproducing de- 
vice 300 is generally configured so as to access, in ad- 
dition to the recording device 400, a DVD, a CD, and a 
hard disk via the read section 304 as well as recording 
media such as a memory card and a game cartridge 

40 which are connected via the PI0111 or SI0112. In Fig. 
2, only one read section 304 is described in order to 
avoid complicating the drawing, the recording and re- 
producing device 300 can have different recording me- 
dia, for example, a DVD, a CD, a floppy disk, and a hard 

45 disk installed therein in parallel. 

[0667] The recording and reproducing device 300 can 
access a plurality of recording media, each of which 
store content data. Content data supplied by an external 
content provider such as a CD are stored in the medium 

50 in the data configuration shown in the previously de- 
scribed Fig. 4 or in each recording medium such as a 
memory card in the content data configuration shown in 
Figs. 26 or 27 if the data are taken out from the medium 
or downloaded via the communication means. Further- 

55 more, specifically, the content data are stored on the 
medium and the recording device in different formats 
depending on the format type thereof, as shown in Figs. 
32 to 35. In either case, the usage policy in the header 
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of the content data contains the content type and the 
activation priority. 

[0668] A process executed by the recording and re- 
producing device to activate a content if a plurality of 
content data are accessible will be explained in accord- 
ance with the flow. 

[0669] Fig. 57 shows a process flow showing an ex- 
ample (1 ) of a process where there a plurality of contents 
that can be activated. At step S611, recording devices 
that are accessible to the recording and reproducing de- 
vice 300 are authenticated. The accessible recording 
devices include a memory card, a DVD device, a CD 
drive, a hard disc device, and a game cartridge or the 
like which is connected, for example, via the PI0111 or 
SI0112. Each recording device is authenticated under 
the control of the control section 301 shown in Fig. 2, for 
example, in accordance with the procedure previously 
explained in Fig. 20. 

[0670] Next, at step S612, programs that can be ac- 
tivated are detected from the content data stored in the 
memory of the successfully authenticated recording de- 
vice. Specifically, this is executed as a process of ex- 
tracting contents for which the content type contained 
in the usage policy of the content data indicates a pro- 
gram. 

[0671] Then at step S613, the priority of the program 
that can be activated and which has been extracted at 
step S612 is determined. Specifically, this corresponds 
to a process of comparing the priorities contained in the 
usage policies in the headers of the plurality of content 
data that can be activated in step S612, to select the top 
priority. 

[0672] Then at step S61 4, the selected program is ac- 
tivated. If the plurality of programs that can be activated 
have the same priority, default priorities are set for the 
recording devices so that the content program stored in 
the device with the top priority is executed. 
[0673] Fig. 58 shows an example (2) of a process 
where identifiers are set for a plurality of recording de- 
vices so that the authentication and the retrieval of a 
content program are sequentially executed for the re- 
cording devices with the identifiers, that is, a process for 
a plurality of contents that can be activated. 
[0674] At step S621 , recording devices (i) installed in 
the recording and reproducing device 300 are authenti- 
cated. A plurality of (n) recording device 400 are se- 
quentially imparted with identifiers 1 to n. 
[0675] At step S622, it is determined whether or not 
the authentication at step S621 has been successful, 
and if so, the process proceeds to step S623 where pro- 
grams that can be activated are retrieved from the re- 
cording media of the recording devices (i). If the authen- 
tication has failed, the process proceeds to step S627 
where it is determined whether or not there is a new re- 
cording device from which a content can be retrieved. 
Without such a recording device, the process is ended, 
and otherwise the process advances to step S628 to up- 
date the recording device identifier i and repeat step 



S621 and the subsequent authentication process steps. 
[0676] At step S623, programs that can be activated 
are detected from the content data stored in the record- 
ing devices (i). Specifically, this is executed as a process 
5 of extracting contents for which the content type con- 
tained in the usage policy of the content data indicates 
a program. 

[0677] At step S624, it is determined whether or not 
the contents of which the content type is a program have 
10 been extracted. If such contents have been extracted, 
one of the extracted programs which has the top priority 
is selected at step S626, and the selected program is 
executed at step S626. 

[0678] If it is determined at step S624 that no content 

is of which the content type is a program has been extract- 
ed, the process proceeds to step S627 to determine 
whether or not there is a new recording device from 
which a content can be retrieved. Without such a record- 
ing device, the process is ended, and otherwise, the 

20 process proceeds to step S628 to update the recording 
device identifier i and repeat step S621 and the subse- 
quent authentication process steps. 
[0679] Fig. 59 shows a process flow showing an ex- 
ample of a process for a plurality of contents that can 

25 be activated. At step S651 , recording devices that are 
accessible to the recording and reproducing device 300 
are authenticated. Accessible DVD device, CD drive, 
hard disc device, and game cartridge or the like are au- 
thenticated. Each recording device is authenticated un- 

30 der the control of the control section 301 shown in Fig. 
2, for example, in accordance with the procedure previ- 
ously explained in Fig. 20. 

[0680] Next, at step S652, programs that can be ac- 
tivated are detected from the content data stored in the 
35 memory of the successfully authenticated recording de- 
vice. Specifically, this is executed as a process of ex- 
tracting contents for which the content type contained 
in the usage policy of the content data indicates a pro- 
gram. 

40 [0681] Then at step S653, information such as the 
name of the program that can be activated and which 
has been extracted at step S652 is displayed on a dis- 
play means. Although the display means is not shown 
in Fig. 2, AV output data are output to the display means 

45 (not shown). User provided information such as a pro- 
gram name for each content data is stored in the content 
ID of the content data so that program information such 
as a program name for each authenticated content data 
is output to the output means via the control section 301 

so under the control of the main CPU 1 06 shown in Fig. 2. 
[0682] Then at step S654, the main CPU 1 06 receives 
the user's program selection input from the input means 
such as the input interface, controller, mouse, or key- 
board shown in Fig. 2 via the interface 110, and at step 

55 S655, executes the user selected program in accord- 
ance with the selection input. 

[0683] As described above, in the data processing ap- 
paratus according to the present invention, the program 
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activation priority is stored in the usage policy in the 
header of the content data so that the recording and re- 
producing device 300 activates programs in accordance 
with this priority or the display means displays activated 
program information from which the user selects a de- 
sired program. This configuration eliminates the need 
for the user to retrieve programs to save the amount of 
time and labor required for the activation. Additionally, 
the programs that can be activated are activated after 
all the recording devices have been authenticated or are 
shown to be such programs, thereby eliminating the 
complicatedness of the process such as the need to val- 
idate a program after selection, 

(15) Content Configuring and Reproducing 
(Decompressing) Process 

[0684] In the data processing apparatus according to 
the present invention, the recording and reproducing de- 
vice 300 downloads a content from the medium 500 or 
the communication means 600 or reproduces data from 
the recording device 400, as described above. The 
above description focuses on the processing of encrypt- 
ed data associated with the downloading or reproduc- 
tion of a content. 

[0685] The control section 301 of the recording and 
reproducing device 300 in Fig. 3 generally controls the 
authentication, encryption, and decryption processes 
associated with the downloading or reproduction of con- 
tent data from the device 500 such as a DVD which pro- 
vides content data, the communication means 600, or 
the recording device. 

[0686] Reproducible contents resulting from these 
processes are, for example, sound or image data or the 
like. Decrypted data from the control section 301 are 
placed under the control of the main CPU shown in Fig. 
2 and output to the AV output section depending on the 
sound or image data or like. If, however, the content is, 
for example, sound data that have been M PS-com- 
pressed, an MP3 decoder in the. AV output section 
shown in Fig. 2 decrypts and outputs the sound data. In 
addition, if the content data are images that have been 
MPEG2-compressed, an MP2 decoder in the AV output 
section decompresses and outputs the image data. In 
this manner, the data contained in the content data may 
have or have not been compressed (encoded), and are 
output after being processed depending on the content. 
[0687] However, due to various types of compression 
and decompression process programs, even if the con- 
tent provider provides compressed data, these data 
cannot be reproduced without a corresponding decom- 
pression process executing program. 
[0688] Thus, the present invention discloses a data 
processing apparatus wherein compressed data and a 
decryption (decompression) process program therefor 
are stored in a data content or link information for the 
compressed data and the decryption (decompression) 
process program therefor is stored as header informa- 



tion in the content data. 

[0689] Fig. 60 is a view obtained by simplifying ele- 
ments from the general view of data processing shown 
in Fig. 2 which relate to this configuration. The recording 

5 and reproducing device 300 receives various contents 
from the device 500 such as a DVD or a CD, the com- 
munication means 600, or the recording device 400 
such as a memory card which stores contents. These 
contents include various data such as sound data, still 

10 images, animated image data, and program data which 
have or have not been encrypted or compressed. 
[0690] If the received content has been encrypted, the 
decryption process is executed using a method such as 
that described above and based on the control of the 

is control section 301 and the cryptography process by the 
cryptography process section 302. The decrypted data 
are transferred to the AV process section 1 03 under the 
control of the CPU 1 06, where the data are stored in a 
memory 3090 of the AV process section 109. Then, a 

20 content analysis section 3091 analyzes the configura- 
tion of the content. If, for example, a data decompress- 
ing program is stored in the content, it is stored in a pro- 
gram storage section 3093. If, the content contains 
sound or image data or the like, these data are stored 

25 in a data storage section 3092. A decompression proc- 
ess section 3094 uses a decompression process pro- 
gram such as MP3 which is stored in the program stor- 
age section, to decompress compressed data stored in 
the data storage section 3092. The data are then output 

30 to speakers 3001 or a monitor 3002. 

[0691 ] Next, some examples of configurations of data 
received by the AV process section 1 09 via the control 
section 301 and of relevant processes will be explained. 
Here, sound data will be shown as an example of acon- 

35 tent, and a content with the MP3 applied thereto will be 
described as a representative compression program. 
This configuration, however, is applicable to image data 
as well as sound data, and not only the MP3 decom- 
pression process program but also other various such 

40 programs for MPEG2 or MPEG4 can be applied thereto. 
[0692] Fig. 61 shows an example of the configuration 
of a content. This figure shows music data 6102 com- 
pressed by means of the MP3 and a MP3 decryption 
(decompression) process program 6101, which are in- 

45 tegrated together into one content. Such contents are 
each stored in the medium 500 or the recording device 
400 and distributed from the communication means 
600, as a single content. If these contents have been 
encrypted as previously described, the recording and 

50 reproducing device 300 uses the cryptography process 
section 303 to decrypt the content and then transfers it 
to the AV process section 109. 

[0693] The content analysis section 3091 of the AV 
process section 109 analyzes the received content, 
55 takes a sound data decompression program (MP3 de- 
coder) section out from the content, comprising a sound 
data decompression program (MP3 decoder) section 
and a compressed sound data section, and stores it in 
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the program storage section 3093 while storing the com- 
pressed sound data in the data storage section 3092. 
The content analysis section 3091 may receive informa- 
tion such as a content name or content configuration in- 
formation in addition to the content, or analyze the con- 
tent based on identification data such as a data name 
or other data such as a data length or a data configura- 
tion which are all contained in the content. Then, a com- 
pression and decompression process section 3094 de- 
compresses the MP3-compressed sound data stored in 
the data storage section 3092 in accordance with the 
sound data decompression program (MP3 decoder) 
stored in the program storage section 3093. The AV 
process section 109 then outputs the decompressed 
sound data to the speakers 3001 . 
[0694] Fig. 62 shows a flow showing an example of a 
process for reproducing data of the content configura- 
tion in Fig. 61 . At step S671 , a data name stored in the 
memory 3090 of the AV process section 1 09, for exam- 
ple, information such as the title of music present if the 
content is sound data is taken out from the information 
received separately from the content or from data in the 
content, and is then displayed on the monitor 3002. At 
step S672, the user's selection is received from one of 
the various input means such as the switches and the 
keyboard via the input interface 1 1 0, and a reproduction 
process command based on user input data is then out- 
put to the AV process section 109 under the control of 
the CPU 1 06. At step S673, the AV process section 1 09 
extract and decompress data selected by the user. 
[0695] Next, Fig. 63 shows an example of a configu- 
ration wherein a content contains either the compressed 
sound data or the decompression process program and 
also contains content information indicating what the 
content contains, as header information for each con- 
tent. 

[0696] As shown in Fig. 63, if the content is a program 
6202, the content contains as header information 6201 
content identification information indicating that this is a 
program and that the type of program is to be MP3-de- 
compressed. On the other hand, if sound data 6204 are 
contained as a content, the content information in the 
header 6203 indicates that the data have been 
MP3-compressed. This header information can be con- 
figured by selecting only information required for repro- 
duction from the data contained in the usage policy (see 
Fig. 5) in the above described content data configuralion 
shown, forexample, in Fig. 4 and adding this information 
to the content transferred to the AV process section 1 09. 
Specifically, identification values for usage policy data 
required for the cryptography process section 302 and 
for data required for the AV process section 109 during 
the reproduction process are added to each constituent 
data of the "usage policy" shown in Fig. 5, and only data 
indicating that these identification values are required 
for the AV process section 109 are extracted as header 
information. 

[0697] On receiving each content shown in Fig. 63, 



the content analysis section 3091 ofthe AV process sec- 
tion 109 stores, in accordance with the header informa- 
tion, a program content in the program storage section 
3093 if the content is a program or in the data storage 
5 section 3092 if the content is data. Thereafter, the com- 
pression and decompression section 3094 takes the da- 
ta out from the data storage section and decompresses 
them in accordance with the MP3 program stored in the 
program storage section 3093 before outputting the de- 
10 compressed data. If the program storage section 3093 
has the same program already stored therein, the pro- 
gram storage process may be omitted. 
[0698] Fig. 64 shows a flow showing an example of 
process for reproducing data of the content configura- 
15 tion in Fig. 63. At step S675, a data name stored in the 
memory 3090 of the AV process section 1 09, for exam- 
pie, information such as the title of music present if the 
content is sound data is taken out from the information 
received separately from the content or from the header 
20 jn the content, and is then displayed on the monitor 
3002. At step S676, the user's selection is received from 
one of the various input means such as the switches 
and the keyboard via the input interface 110. 
[0699] Then at step S677, a data reproducing pro- 
25 gram (for example, the MP3) corresponding to the user 
selection is retrieved. The maximum range of this pro- 
gram retrieval is preferably set as the possible access 
range ofthe recording and reproducing device 300, and 
for example, the media 500, communication means 600, 
30 and recording device 400 shown in Fig. 60 are included 
in the retrieval range. 

[0700] Only the content passed to the AV process 
section 109 is the data section, while the program con- 
tent may be stored in another recording medium in the 
35 recording and reproducing device 300 or provided by 
the content provider via the medium such as a DVD or 
a CD. Accordingly, the retrieval range is set as the pos- 
sible access range ofthe recording and reproducing de- 
vice 300. When a reproduction program is found as a 
40 result of the retrieval, a reproduction process command 
based on the user input data is output to the AV process 
section 109 under the control of the CPU 106. At step 
S679, the AV process section 109 extracts and decom- 
press data depending on the user's selection. In another 
45 embodiment, the program retrieval is executed before 
step S675 so that only the data in which the program 
has been detected are displayed at step S675. 
[0701] Next, Fig. 65 shows an example of a configu- 
ration wherein a content contains compressed sound 
50 data 6303 and decompressed process program 6302 
and further contains a content reproduction priority as 
header information 6301 therefor. This is an example of 
the above content configuration in Fig. 61 with the re- 
production priority added thereto as header information. 
55 As in the above described section "(14) Program Acti- 
vating Process Based on Activation Priority in Usage 
Policy in Content Data", the order of reproduction is de- 
termined based on a reproduction priority set among 
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contents received by the AV process section 109. 
[0702] Fig. 66 shows a flow showing an example of a 
process for reproducing data of the content configura- 
tion in Fig. 65. At step S681 , data stored in the memory 
3090 of the AV process section 109, that is, data infor- 
mation for data to be reproduced is set in a retrieval list. 
The retrieval list is set using some areas of the memory 
in the AV process section 109. Then at step S682, the 
content analysis section 3091 of the AV process section 
1 09 selects data of top priority, and at step S683 : repro- 
duces the selected data. 

[0703] Next, Fig. 67 shows an example of a configu- 
ration wherein a content comprises a combination of 
header information and program data 6402 or header 
information 6403 and compressed data 6404 and 
wherein a reproduction priority is added only to the 
header 6403 of the data content. 
[0704] Fig. 68 shows a flow showing an example of a 
process for reproducing data of the content configura- 
tion in Fig. 67. At step S691 , data stored in the memory 
3090 of the AV process section 1 09, that is, data infor- 
mation for data to be reproduced is set in a retrieval list. 
The retrieval list is set using some areas of the memory 
in the AV process section 109. Then at step S692, the 
content analysis section 3091 of the AV process section 
1 09 selects data of top priority. 

[0705] Then at step S693, a data reproducing pro- 
gram (for example, the MP3) corresponding to the user 
selection is retrieved. As in the process in the flow in 
Fig. 64, the maximum range of this program retrieval is 
preferably set as the possible access range of the re- 
cording and reproducing device 300, and for example, 
the media 500, communication means 600, and record- 
ing device 400 shown in Fig. 60 are included in the re- 
trieval range. 

[0706] When a reproduction program is found as a re- 
sult of the retrieval (Yes at step S694), the selected data 
are decompressed and reproduced using the program 
obtained as a result of the retrieval. 
[0707] On the other hand, if no program is found as a 
result of the retrieval (Yes at step S694), the process 
proceeds to step S696 to delete those of the remaining 
data contained in the retrieval list set at step S691 that 
must be reproduced using the same program. This is 
because it is apparent that a new attempt to retrieve a 
reproduction program from these data fails. Further- 
more, when il is determined whether or not the retrieval 
list is empty and if the list is determined not to be empty, 
the process returns to step S692 to extract data of the 
next highest priority to execute the program retrieving 
process. 

[0708] Thus, according to this configuration . if the 
compressed content is constructed with its decryption 
(decompression) program or comprises only data ob- 
tained by compressing the content or only the decom- 
pression process program, since it has the header in- 
formation indicating what compressed data the content 
is or what process the content executes, the process 



section (for example, the AV process section) receiving 
the content uses the decompression process program 
attached to the compressed data in order to execute the 
decompression and reproduction process or retrieves 

5 the decompression and reproduction program based on 
the header information in the compressed data to exe- 
cute the decompression and reproduction process in ac- 
cordance with the program obtained as a result of the 
retrieval. This eliminates the needs for processes exe- 

10 cuted by the user such as the selection and retrieval of 
the data decompressing program to reduce burdens on 
the user, thereby enabling efficient data reproduction. 
Moreover, the configuration having the reproduction pri- 
ority in the header enables the reproduction order to be 

15 automatically set to allow the user to omit the operation 
of setting the reproduction order. 
[0703] In the above described embodiments , the M P3 
is taken as an example of a decompression process pro- 
gram for compressed sound data contents and sound 

20 compressed data, but this configuration is also applica- 
ble to contents containing compressed data or a decom- 
pression process program for compressed image data 
and provides similar effects in this case. 

25 (1 6) Generation of Save Data and Storage and 
Reproduction of the Same in and from Recording 
Device 

[0710] If, for example, the content executed in the re- 
30 cording and reproducing device 300 is a game program 
or the like and if the game program is to be resumed a 
predetermined period of time after suspension, the state 
of the game and the like at the time of the suspension 
are saved, that is, stored in the recording device so as 
35 to be read out on resumption to enable the game to be 
continued. 

[0711] In conventional recording and reproducing de- 
vices for game apparatuses, personal computers, or the 
like, a save data preservation configuration is provided 

40 with such a configuration as to preserve save data in a 
recording medium such as a memory card, a floppy disk, 
a game cartridge, or a hard disk which can be built into 
the recording and reproducing device or externally at- 
tached thereto. In particular, however, these recording 

45 and reproducing devices have no configuration for 
maintaining the security of the save data and carry out 
the save process using, for example, specifications 
common to a game application program. 
[0712] Thus, for example, save data saved using a re- 

so cording and reproducing device A may be used or re- 
written by another game program; little attention has 
been paid to the security of the save data. 
[0713] The data processing apparatus according to 
the present invention provides a configuration that can 

55 maintain the security of save data. For example, save 
data for a certain game program are encrypted based 
on information used only by this game program before 
being stored in the recording device. Alternatively, the 
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save data are encrypted based on information unique 
to the recording and reproducing device before being 
stored in the recording device. These methods enables 
the usage of the save data to be limited to particular ap- 
paratuses or programs to maintain the security of the 5 
data. "Generation of Save Data and Storage and Repro- 
duction of the Same in and from Recording Device" in 
the present data processing apparatus will be explained 
below. 

[0714] Fig. 69 is a block diagram useful in explaining 10 
a save data storage process in the present data 
processing apparatus. A content from the medium 500 
such as a DVD or CD orthe communication means 600 
is provided to the recording and reproducing device 300. 
The provided content has been encrypted with the con- *5 
tent key Kcon, which is a key unique to the content as 
described above, and the recording and reproducing de- 
vice 300 obtains the content key in accordance with the 
process described in the above described section "(7) 
Process for Downloading from Recording and Repro- 20 
ducing Device to Recording device" (see Fig. 22), to de- 
crypt the encrypted content and then stores it in the re- 
cording device 400. The following description is directed 
to a process executed by the recording and reproducing 
device 300 to decrypt a content program from the me- 25 
dium orthe communication means, reproduce and ex- 
ecute this program, and then store the obtained save 
data in one of the various recording devices 400A, 400B, 
and 400B such as external or built-in memory card and 
hard disk for reproduction, or to download a content in 30 
the recording device 400A, reproduce and execute the 
content from the recording device 400A, and store the 
resulting save data in a processing and recording device 
400 for storing the save data in any one of the various 
recording devices 400A, 400B, and 400B such as exter- 
nal or built-in memory card and hard disk for reproduc- 
tion and reproducing the save data. 
[071 5] The recording and reproducing device 300 has 
the recording and reproducing device identifier IDdev, 
the system signature key Ksys, which is a signature key 
shared throughout the system, the recording and repro- 
ducing device signature key Kdev, which is unique to 
individual recording and reproducing devices, and the 
master keys for generating various individual keys, as 
previously described. The master keys are used to gen- 
erate, for example, the distribution key Kdis or the au- 
thentication key Kake, as described in detail in "(12) 
Configuration for Generating Cryptography Process 
Keys Based on Master Keys". Here, the type of the mas- 
ter key is not particularly limited but a key representing 
the master keys of the recording and reproducing device 
300 is denoted by MKx. Fig. 69 shows an example of 
the cryptography key Ksav for save data in the lower 
part thereof. The save data cryptography key Ksav is 
used for the encryption process executed to store save 
data in one of the various recording device 400A to C 
and for the decryption process executed to reproduce 
these data therefrom. The processes for storing and re- 
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producing save data will be explained with reference to 
Fig. 70 and subsequent figures. 

[0716] Fig. 70 is a flow chart of a process of storing 
save data in one of the recording device 400Ato C using 
either the content unique key or the system common 
key. The process in each flow is executed by the record- 
ing and reproducing device 300, and the recording de- 
vice 400 storing the save data in each flow may be any 
of the external recording devices 400A to C and is not 
limited to a particular one. 

[0717] At step S701, the recording and reproducing 
device 300 reads out the content ID, for example, the 
game ID. This ID is the data contained in the identifica- 
tion information in the content data shown in the previ- 
ously described Figs. 4, 26, 27, and 32 to 35. On receiv- 
ing a command for storage of save data via the interface 
110 shown in Fig. 2, the main CPU 106 commands the 
control section 301 to read the content ID. 
[0718] The control section 301 takes the identification 
information out from the header in the content data via 
the read section if the execution program is a content 
from a DVD, a CD-ROM, orthe like which is executed 
via the read section 304, or takes it out via the recording 
device controller 303 if the execution program is a con- 
tent stored in the recording device 400. If the recording 
and reproducing device 300 is executing the content 
program and the content ID has already been stored in 
a RAM or anther accessible recording medium in the 
recording and reproducing device, the identification in- 
formation contained in the loaded data may be used 
without executing a new read process. 
[0719] Then at step S702, the process is changed de- 
pending on whether or not the program is to be localized. 
The program localization is used to set whether or not 
a limitation is added which allows save data to be used 
only by this program; to allow the save data to be used 
only by this program, "Program Localization" is set to 
"Yes", and to prevent the usage of the data from being 
limited to this program, "Program Localization" is set to 
"No". This may be arbitrarily set by the user or may be 
set and stored in the content program by the content 
producer, and the set localization is stored in one of the 
recording devices 400 A to C of Fig. 69 as a data man- 
aging file. 

[0720] Fig. 71 shows an example of the data manag- 
ing file. The data managing file is generated as a table 
containing entries including data numbers, content IDs, 
recording and reproducing device IDs : and program lo- 
calization. The content ID is identification data for a con- 
tent program for which save data are saved. The record- 
ing and reproducing device ID indicates a recording and 
reproducing device that has stored the save data, and 
an example thereof is [IDdev] shown in Fig. 69. The pro- 
gram localization is set to "Yes" in order to allow the save 
data to be used only by this program or to "No" in order 
to prevent the usage of the data from being limited to 
this program. The program localization may be arbitrar- 
ily set by the user using the content program or may be 



40 



45 



50 



72 



BNSDCCID: <EP 1 195734A1_I_> 



' 143 



EP1 195 734 A1 



144 



set and stored in the content program by the content 
producer. 

[0721] Referring back to Fig. 70, the flow will be con- 
tinuously explained. If the program localization is set to 
"Yes" at step S702, the process proceeds to step S703. 
At step 703, the key unique to the content, for example, 
the content key Kcon is read out from the content data 
and used as the save data cryptography key Ksav, or 
the save data cryptography key Ksav is generated 
based on the content unique key. 
[0722] On the other hand, if the program localization 
is set to "No" at step S702, the process proceeds to step 
S707. At step 707, the system common key stored in 
the recording and reproducing device 300, for example, 
the system signature key Ksys is read out from the in- 
ternal memory 307 of the recording and reproducing de- 
vice 300 and used as ihe save data cryptography key 
Ksav, or the save data cryptography key Ksav is gener- 
ated based on the system signature key Ksys. Alterna- 
tively, a cryptography key different from the other keys 
which has been separately saved to the internal memory 
307 of the recording and reproducing device 300 may 
be used as the save data cryptography key Ksav. 
[0723] Then at step S704, the save data cryptography 
Ksav selected or generated at step S703 or S707 is 
used to execute a process for encrypting save data. This 
encryption process is executed by the cryptography 
process section 302 of Fig. 2 by applying, for example, 
the above described DES algorithm. 
[0724] The save data encrypted at step S704 are 
stored in the recording device at step S705. If there are 
a plurality of recording devices that can store save data, 
as shown in Fig. 69, the user selects in advance one of 
the recording devices 400 A to C as a save data storage 
destination. Further, at step S706, the program localiza- 
tion set at step S702, that is, "Yes" or "No" for the pro- 
gram localization is written to the data managing file de- 
scribed with reference to Fig. 71 . 
[0725] The process for storing the save data is thus 
completed. At step S702, save data for which "Yes" is 
selected for the program localization at step S702 and 
which are encrypted at step S703 with the save data 
encryption key Ksav generated based on the content 
unique key are prevented from being decrypted by con- 
tent programs having no content unique key informa- 
tion, so that these save data can be used only by content 
programs having the same content key information. In 
this case, however, the save data encryption key Ksav 
is not generated based on information unique to the re- 
cording and reproducing device, so that save data 
stored in a removable recording device such as a mem- 
ory card can be reproduced even from a different record- 
ing and reproducing device as long as they are used 
together with a corresponding content program. 
[0726] Additionally, save data for which "No" is select- 
ed for the program localization at step S702 and which 
are encrypted at step S707 with the save data encryp- 
tion key Ksav based on the system common key can be 



reproduced and used even if a program with a different 
content identifier is used or if a different recording and 
reproducing device is used. 

[0727] Fig. 72 shows a flow showing a process for re- 
5 producing save data stored by means of the save data 
storage process in Fig. 20. 

[0728] At step S711 : the recording and reproducing 
device 300 reads out the content ID, for example, the 
game ID. This is a process similar to step S701 of the 
10 previously described in Fig. 70 and which reads out data 
contained in the identification information in the content 
data. 

[0729] Then at step S712, the data managing file de- 
scried with reference to Fig. 71 is read out from one of 

15 the recording devices 400A to C shown in Fig. 69, and 
the content ID read out at step S711 and correspond- 
ingly set program localization are extracted therefrom. 
If the data managing file has the program localization 
set to "Yes, the process proceeds to step S714, whereas 

20 if the data managing file has the program localization 
set to "No", the process advances to step S71 7. 
[0730] At step S71 4, the key unique to the content, for 
example, the content key Kcon is read out from the con- 
tent data and used as the save data decryption key 

25 Ksav, or the save data decryption key Ksav is generated 
based on the content unique key. This decryption key 
generating process uses a process algorithm corre- 
sponding to the encryption key generating process, that 
is, a decryption key generating algorithm that enables 

30 data encrypted based on a certain content unique key 
to be decrypted with a decryption key generated based 
on the same content unique key. 
[0731] On the other hand, if it is determined at step 
S71 2 that the data managing file has the program local- 
es ization set to "No", then at step S71 7, the system com- 
mon key stored in the recording and reproducing device 
300, for example, the system signature key Ksys is read 
out from the internal memory 307 of the recording and 
reproducing device 300 and used as the save data de- 

40 cryption key Ksav, or the save data decryption key Ksav 
is generated based on the system signature key Ksys. 
Alternatively, a cryptography key different from the other 
keys which has been separately saved to the internal 
memory 307 of the recording and reproducing device 

45 300 may be used as the save data cryptography key 
Ksav. 

[0732] Then at step S715, the save data decryption 
key Ksav selected or generated at step S714 or S717 
is used to execute a process for decrypting save data, 
so and at step S716, the decrypted save data are repro- 
duced and executed in the recording and reproducing 
device 300. 

[0733] The save data reproduction process is thus 
completed. As described above, the save data decryp- 
55 tion key is generated based on the content unique key 
if the data managing file has the program localization 
set to "Yes", while the save data decryption key is gen- 
erated based on the system common key if the data 
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managing file has the program localization set to "No". 
If the program localization is set to "Yes", a decryption 
key cannot decrypt the save data without the same con- 
tent ID for the content, thereby enabling the security of 
the save data to be improved. 

[0734] Figs. 73 and 74 show save data storage and 
reproduction flows, respectively, that generate save da- 
ta encryption and decryption keys using the content ID. 
[0735] In Fig. 73, steps S721 to 722 are similar to 
steps S701 and S702 in Fig. 70, so description thereof 
is omitted. 

[0736] The save data storage flow in Fig. 73, if the 
program localization" is set to "Yes" at step S722, then 
at step S723, the content ID is read out from the content 
data and used as the save data decryption key Ksav, or 
the save data decryption key Ksav is generated based 
on the content ID. For example, the cryptography proc- 
ess section 307 of the recording and reproducing device 
300 can apply the master key MKx stored in the internal 
memory of the recording and reproducing device 300, 
to the content ID read out from the content data, to ob- 
tain the save data decryption key Ksav based, for ex- 
ample, on the DES (MKx, content ID). Atternativefy, a 
cryptography key different from the other keys which 
has been separately saved to the internal memory 307 
of the recording and reproducing device 300 may be 
used as the save data decryption key Ksav. 
[0737] On the other hand, if the program localization 
is set to "No" at step S722, then at step S727, the system 
common key stored in the recording and reproducing 
device 300, for example, the system signature key Ksys 
is read out from the content data and used as the save 
data encryption key Ksav, or the save data encryption 
key Ksav is generated based on the system signature 
key. 

Alternatively, a cryptography key different from the other 
keys which has been separately saved to the internal 
memory 307 of the recording and reproducing device 
300 may be used as the save data decryption key Ksav. 
[0738] The processing at step S724 and the subse- 
quent steps is similar to that at step S704 and the sub- 
sequent steps in the process flow in the above described 
Fig. 70. and description thereof is thus omitted. 
[0739] Further, Fig. 74 shows a process flow for re- 
producing and executing save data stored in the record- 
ing device during the save data storage process flow in 
Fig. 73 ; and steps S731 to S733 are similar to the cor- 
responding processing in the above described Fig. 72 
except for step S734. At step 734, the content ID is read 
out from the content data and used as the save data 
decryption key Ksav, or the save data decryption key 
Ksav is generated based on the content ID. This decryp- 
tion key generating process uses a process algorithm 
corresponding to the encryption key generating proc- 
ess, that is : a decryption key generating algorithm that 
enables data encrypted based on a certain content ID 
to be decrypted with a decryption key generated based 
on the same content ID. 



[0740] The subsequent processing, steps S735, 
S736, and S737 are similar to the corresponding 
processing in Fig. 72, and description thereof is thus 
omitted. According to the save data storage and repro- 

5 duction processes in Figs. 73 and 74, if the program lo- 
calization is set to "Yes", the content ID is used to gen- 
erate the save data encryption and decryption keys, so 
that as in the above save data storage and reproduction 
processes using the content unique key, save data can- 

10 not be obtained without matching the corresponding 
content program, thereby enabling save data to be 
saved more securely. 

[0741] Figs. 75 and 77 show save data storage (Fig. 
75) and reproduction (Fig. 77) flows, respectively, that 
is generate save data encryption and decryption keys us- 
ing the recording and reproducing device unique key. 
[0742] In Fig. 75, step S741 is similar to step S701 in 
Fig. 70, so description thereof is omitted. At step S742, 
localization is or is not set for the recording and repro- 
ve ducing device. In case of lacalizing a particular record- 
ing and reproducing device capable of utilizing the save 
data, a recording and reproducing device localization, 
that is, allows the save data to be used only by the re- 
cording and reproducing device that has generated and 
25 stored the data, the recording and reproducing device 
localization is set to "Yes", and to allow other recording 
and reproducing device to use the save data, the record- 
ing and reproducing device localization is set to "No". If 
the recording and reproducing device localization is set 
30 to "Yes" at step S742, the process proceeds to step 
S743, and if this localization is set to "No", the process 
proceeds to step S747. 

[0743] An example of the data managing file is shown 
in Fig. 76. The data managing file is generated as a table 

35 containing entries including data numbers, content IDs, 
recording and reproducing device IDs, and recording 
and reproducing device localization. The content ID is 
identification data for a content program for which save 
data are saved. The recording and reproducing device 

40 ID indicates a recording and reproducing device that has 
stored the save data, and an example thereof is [IDdev] 
shown in Fig. 69. The recording and reproducing device 
localization is set to "Yes" in order to limit the usage of 
the save data to a particular recording and reproducing 

45 device, that is, allow the save data to be used only by 
the recording and reproducing device that has generat- 
ed and stored the data, or to "No" in order to allow other 
recording and reproducing devices to use the save data. 
The recording and reproducing device localization may 

50 be arbitrarily set by the user using the content program 
or may be set and stored in the content program by the 
content producer. 

[0744] In the save data storage process flow in Fig. 
75, if the recording and reproducing device localization 
55 is set to "Yes" at step S742, the recording and reproduc- 
ing device unique key, for example, the recording and 
reproducing device signature key Kdev is read out from 
the internal memory 307 of the recording and reproduc- 
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ing device 300 data and used as the save data encryp- 
tion key Ksav, or the save data encryption key Ksav is 
generated based on the recording and reproducing de- 
vice signature key Kdev. Alternatively, a cryptography 
key different from the other keys which has been sepa- 
rately saved to the internal memory 307 of the recording 
and reproducing device 300 may be used as the save 
data decryption key Ksav. 

[0745] On the other hand, if the recording and repro- 
ducing device localization is set to "No" at step S742, 
then at step S747, the system common key stored in the 
recording and reproducing device 300, for example, the 
system signature key Ksys is read out from internal 
memory 307 of the recording and reproducing device 
300 and used as the save data encryption key Ksav, or 
the save data encryption key Ksav is generated based 
on the system signature key. Alternatively: a cryptogra- 
phy key different from the other keys which has been 
separately saved to the internal memory 307 of the re- 
cording and reproducing device 300 may be used as the 
save data decryption key Ksav. 

[0746] The processing at steps S744 and S745 is sim- 
ilar to the corresponding processing in the process flow 
in the above described Fig. 72, and description thereof 
is thus omitted. 

[0747] At step S746, the content ID, the recording and 
reproducing device ID, and the recording and reproduc- 
ing device localization "Yes/No" set by the user at step 
S742 are written to the data managing file (see Fig. 76). 
[0748] Furthermore, Fig. 77 shows a process flow for 
reproducing and executing save data stored in the re- 
cording device during the save data storage process 
flow in Fig. 75. At step S751 , the content ID is read out 
as in the corresponding processing in the above de- 
scribed Fig. 72. Then at step S752, the recording and 
reproducing device ID (IDdev) stored in the memory of 
the recording and reproducing device 300 is read out. 
[0749] At step S753, the content ID, the recording and 
reproducing device ID, and the set recording and repro- 
ducing device localization "Yes/No" are read out from 
the data managing file (see Fig. 76). If any entry in the 
data managing file which has the same content ID has 
the recording and reproducing device localization set to 
"Yes", the process is ended if the table entry has a re- 
cording and reproducing device ID different from that 
read out at step S752. 

[0750] Next, if it is determined at step S754 that the 
data managing file has the recording and reproducing 
device localization set to "Yes", the process proceeds to 
step S755, whereas if the data managing file has the 
recording and reproducing device localization set to 
"No", the process proceeds to step S758. 
[0751] At step S755, the recording and reproducing 
device unique key, for example, the recording and re- 
producing device signature key Kdev is read out from 
the internal memory 307 of the recording and reproduc- 
ing device 3O0 data and used as the save data decryp- 
tion key Ksav, or the save data encryption key Ksav is 



generated based on the recording and reproducing de- 
vice signature key Kdev. This decryption key generating 
process uses a process algorithm corresponding to the 
encryption key generating process, that is, a decryption 
5 key generating algorithm that enables data encrypted 
based on a certain recording and reproducing device 
unique key to be decrypted with a decryption key gen- 
erated based on the same recording and reproducing 
device unique key. Alternatively, a cryptography key dit- 
to ferent from the other keys which has been separately 
saved to the internal memory 307 of the recording and 
reproducing device 300 may be used as the save data 
decryption key Ksav. 

[0752] On the other hand, at step S758, the system 

15 common key stored in the recording and reproducing 
device 300, for example, the system signature key Ksys 
Is read out from iniernai memory 307 of the recording 
and reproducing device 300 and used as the save data 
decryption key Ksav, or the save data decryption key 

20 Ksav is generated based on the system signature key. 
Alternatively, a cryptography key different from the other 
keys which has been separately saved to the internal 
memory 307 of the recording and reproducing device 
300 may be used as the save data decryption key Ksav. 

25 The processing at the subsequent steps S756 and 757 
are similar to that at the corresponding steps in the 
above described save data reproduction process flow. 
[0753] According to the save data storage and repro- 
duction process flows shown in Figs. 75 and 77, save 

30 data for which the recording and reproducing device lo- 
calization is set to "Yes" are encrypted and decrypted 
using the recording and reproducing device unique key. 
These save data can thus be decrypted and used only 
by the recording and reproducing device having the 

35 same recording and reproducing device unique key, that 
is, the same recording and reproducing device. 
[0754] Next, Figs. 78 and 79 show process flows for 
generating encryption and decryption keys for save data 
using the recording and reproducing device ID and stor- 

40 ing and reproducing the save data. 

[0755] In Fig. 78, the recording and reproducing de- 
vice ID is used to encrypt and store save data in the 
recording device. Steps S761 to S763 are similar to 
those in the above Fig. 75. At step S764, the recording 

45 and reproducing device ID (IDdev) read out from the re- 
cording and reproducing device is used to generate the 
save data encryption key Ksav. The save data encryp- 
tion key Ksav is obtained based on the IDdev by, for ex- 
ample, applying the IDdev as the save data encryption 

50 key Ksav or applying the master key MKx stored in the 
internal memory of the recording and reproducing de- 
vice 300 to obtain the save data encryption key Ksav 
based on the DES (MKx, IDdev). Alternatively, a cryp- 
tography key different from the other keys which has 

55 been separately saved to the internal memory 307 of 
the recording and reproducing device 300 may be used 
as the save data decryption key Ksav. 
[0756] The subsequent process steps S765 to S768 
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are similar to the corresponding processing in the above 
described Fig. 75, so description thereof is omitted. 
[0757] Fig. 79 shows a process flow for reproducing 
and executing the save data stored in the recording de- 
vice by means of the process in Fig. 78. Steps S771 to 
S774 are similar to the corresponding processing in the 
above described Fig. 77. 

[0758] At step S775, the recording and reproducing 
device ID (IDdev) read out from the recording and re- 
producing device is used to generate the save data de- 
cryption key Ksav. The save data encryption key Ksav 
is obtained based on the IDdev by, for example, applying 
the IDdev as this key Ksav or applying the master key 
MKx stored in the internal memory of the recording and 
reproducing device 300 to obtain this key Ksav based 
on the DES (MKx, IDdev). This decryption key generat- 
ing process uses a process algorithm corresponding to 
the encryption key generating process, that is, a decryp- 
tion key generating algorithm that enables data encrypt- 
ed based on a certain recording and reproducing device 
unique key to be decrypted with a decryption key gen- 
erated based on the same recording and reproducing 
device unique key. Alternatively, a cryptography key dif- 
ferent from the other keys which has been separately 
saved to the internal memory 307 of the recording and 
reproducing device 300 may be used as the save data 
decryption key Ksav. 

[0759] The subsequent process steps S776 to S778 
are similar to the corresponding processing in the above 
described Fig. 76. 

[0760] According to the save data storage and repro- 
duction process flows shown in Figs. 78 and 79, save 
data for which the recording and reproducing device lo- 
calization is set to "Yes" are encrypted and decrypted 
using the recording and reproducing device unique key. 
These save data can thus be decrypted and used only 
by the recording and reproducing device having the 
same recording and reproducing device unique key, that 
is, the same recording and reproducing device. 
[0761] Next, save data storage and reproduction 
processes of executing both the above described pro- 
gram localization and recording and reproducing device 
localization will be explained with reference to Figs. 80 
to 82. 

[0762] Fig. 80 shows a save data storage process 
flow. At step S781 , the content ID is read out from the 
content data, at step S782, it is determined whether the 
program localization is set, and at step S783, it is deter- 
mined whetherthe recording and reproducing device lo- 
calization is set. 

[0763] If both the program localization and the record- 
ing and reproducing device localization are set to "Yes", 
then at step S785, the save data encryption key Ksav is 
generated based on both the content unique key (ex. 
Kcon) and the recording and reproducing device unique 
key (Kdev). The save data encryption key is obtained, 
for example, based on Ksav = (Kcon XOR Kdev) or by 
applying the master key MKx stored in the internal mem- 



ory of the recording and reproducing device 300 to ob- 
tain this key based on Ksave = DES (MKx, Kcon XOR 
Kdev). Alternatively, a cryptography key different from 
the other keys which has been separately saved to the 
5 internal memory 307 of the recording and reproducing 
device 300 may be used as the save data decryption 
key Ksav. 

[0764] If the program localization is set to "Yes" while 
the recording and reproducing device localization is set 
10 to "No", then at step S786, the content unique key (ex. 
Kcon) is used as the save data encryption key Ksav, or 
the save data encryption key Ksav is generated based 
on the content unique key (ex. Kcon). 
[0765] If the program localization is set to "No" while 
*5 the recording and reproducing device localization is set 
to "Yes", then at step S787, the recording and reproduc- 
ing device unique key (Kdev) is used as the save data 
encryption key Ksav, or the save data encryption key 
Ksav is generated based on the recording and repro- 
ducing device unique key (Kdev). Alternatively, a cryp- 
tography key different from the other keys which has 
been separately saved to the internal memory 307 of 
the recording and reproducing device 300 may be used 
as the save data decryption key Ksav. 
[0766] Further, if both the program localization and 
the recording and reproducing device localization are 
set to "No", then at step S787, the system common key, 
for example, the system signature key Ksys is used as 
the save data encryption key Ksav, or the save data en- 
cryption key Ksav is generated based on the system sig- 
nature key Ksys. Alternatively, a cryptography key dif- 
ferent from the other keys which has been separately 
saved to the internal memory 307 of the recording and 
reproducing device 300 may be used as the save data 
decryption key Ksav. 

[0767] At step S789, the save data encryption key 
Ksav generated at one of the steps S785 to S788 is used 
to encrypt the save data, which are then stored in the 
recording device. 

[0768] Furthermore, at step S790, the localization set 
at steps S782 and S783 is stored in the data managing 
file. The data managing file is configured, for example, 
as shown in Fig. 81 and contains entries including data 
numbers, content IDs, recording and reproducing de- 
vice IDs, program localization, and recording and repro- 
ducing device localization. 

[0769] Fig. 82A and 82B show a process flow for re- 
producing and executing the save data stored in the re- 
cording device by means of the process in Fig. 80. At 
step S791 , the content ID and the recording and repro- 
ducing device ID are read out from the execution pro- 
gram, and at step S792, the content ID, the recording 
and reproducing device ID, the program localization, 
and the recording and reproducing device localization 
are read out from the data managing file shown in Fig. 
81 . In this case, if the program localization is set to "Yes" 
and the content IDs are not the same or if the recording 
and reproducing device localization is set to "Yes" and 
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the recording and reproducing device IDs are not the 
same, the process is ended. 

[0770J Then at steps S793, S794, and S795, the de- 
cryption key generating process is set to one of the four 
manners at steps 796 to S799 in accordance with the 
data recorded in the data managing file. 
[0771 ] If both the program localization and the record- 
ing and reproducing device localization are set to "Yes", 
then at step S796, the save data encryption key Ksav is 
generated based on both the content unique key (ex. 
Kcon) and the recording and reproducing device unique 
key (Kdev). Alternatively, a cryptography key different 
from the other keys which has been separately saved 
to the internal memory 307 of the recording and repro- 
ducing device 300 may be used as the save data de- 
cryption key Ksav. If the program localization is set to 
M Yes" whiie the recording and reproducing device local- 
ization is set to "No", then at step S797, the content 
unique key (ex. Kcon) is used as the save data encryp- 
tion key Ksav, or the save data encryption key Ksav is 
generated based on the content unique key (ex. Kcon). 
Alternatively, a cryptography key different from the other 
keys which has been separately saved to the internal 
memory 307 of the recording and reproducing device 
300 may be used as the save data decryption key Ksav. 
[0772] . If the program localization is set to "No" while 
the recording and reproducing device localization is set 
to "Yes", then at step S798, the recording and reproduc- 
ing device unique key (Kdev) is used as the save data 
encryption key Ksav, or the save data encryption key 
Ksav is generated based on the recording and repro- 
ducing device unique key (Kdev). Alternatively, a cryp- 
tography key different from the other keys which has 
been separately saved to the internal memory 307 of 
the recording and reproducing device 300 may be used 
as the save data decryption key Ksav. Further, if both 
the program localization and the recording and repro- 
ducing device localization are set to "No" ; then at step 
S799, the system common key, for example, the system 
signature key Ksys is used as the save data encryption 
key Ksav, or the save data encryption key Ksav is gen- 
erated based on the system signature key Ksys. Alter- 
natively, a cryptography key different from the other 
keys which has been separately saved to the internal 
memory 307 of the recording and reproducing device 
300 may be used as the save data decryption key Ksav. 
[0773] These decryption key generating processes 
uses a process algorithm corresponding to the encryp- 
tion key generating process, that is, a decryption key 
generating algorithm that enables data encrypted based 
on the same content unique key and recording and re- 
producing device unique key to be decrypted with a de- 
cryption key generated based on the same content 
unique key and recording and reproducing device 
unique key. 

[0774] At step S800, the save data encryption key 
Ksav generated at one of the steps S796 to S799 is used 
to execute the decryption process, and the decrypted 



save data are reproduced and executed in the recording 
and reproducing device 300. 

[0775] According to the save data storage and repro- 
duction process flows shown in Figs. 80 and 82, save 
5 data for which "Yes" is selected for the program locali- 
zation are encrypted and decrypted with the content 
unique key, so that these save data can be decrypted 
and used only if content data having the same content 
unique key are used. Additionally, save data for which 
10 "Yes" is selected for the recording and reproducing de- 
vice localization are encrypted and decrypted with the 
recording and reproducing device ID, so that these save 
data can be decrypted and used only by the recording 
and reproducing device having the same recording and 
75 reproducing device ID, that is, the same recording and 
reproducing device. Consequently, both the content and 
the recording and reproducing device can set the local- 
ization to further improve the security of the save data. 
[0776] Although Figs. 80 and 82 show the configura- 
20 tion for generating the save data encryption key and the 
decryption key using the content unique key and the re- 
cording and reproducing device unique key, the content 
ID and the recording and reproducing device ID may be 
used instead of the content unique key and the record- 
's ing and reproducing device unique key, respectively, to 
generate the save data encryption key and the decryp- 
tion key based on these IDs. 

[0777] Next, a configuration for generating an encryp- 
tion and a decryption keys based on a password input 
30 by the user will be described with reference to Figs. 83 
to 85. 

[0778] Fig. 83 shows a process flow for generating a 
save data encryption key based on a password input by 
the user and storing save data in the recording device. 

35 [0779] At step S821 , the content ID is read out from 
the content data as in each of the above described proc- 
esses. At step S822, the user determines whether to set 
the program localization. The data managing file set in 
this configuration has, for example, the configuration 

40 shown in Fig. 84. 

[0780] As shown in Fig. 84, the data contains data 
numbers, content IDs, recording and reproducing de- 
vice IDs, and user set program localization. The "user 
set program localization" is an entry that determines 

45 whether or not the usage of the program is limited to a 
particular user. 

[0781] If the localization is set to "Yes" at step S822 
in the process flow in Fig. 83, then at step S823, the 
user's password is input. The password is input from an 

50 input means such as the keyboard shown in Fig. 2. 
[0782] The input password is output to the cryptogra- 
phy process section 302 under the control of the main 
CPU 1 06 and the control section 301 , and the process- 
ing at step S824 is executed, that is, the save data en- 

55 cryption key Ksav is generated based on the input user 
password. The save data encryption key Ksav may be 
generated by, for example, setting the password itself 
as this key Ksav or using the master key MKx of the 



77 



BNSDCCID: <EP 1195734A1J_> 



153 EP 1 195 734 A1 154 



recording and reproducing device to generate this key 
Ksav based on the save data encryption key Ksav = 
DES (MKx, password). Alternatively, a unidirectional 
function may be applied using the password as an input 
so that an encryption key can be generated based on 
an output from the function. 

[0783] If the user localization is set to "No" at step 
S822, then at step S828, a save data encryption key is 
generated based on the system common key of the re- 
cording and reproducing device 300. 
[0784] Further, at step S825, the save data encryption 
key Ksav generated at step S824 or S828 is used to 
encrypt the save data, and at step S826, the encrypted 
save data are stored in the recording device. 
[0785] Furthermore, at step S827, the program local- 
ization set by the user at step S822 is written to the data 
managing file in Fig. 84 so as to be associated with the 
content ID and the recording and reproducing device ID. 
[0786] Fig. 85 is a view showing a flow of a process 
for reproducing the save data stored by means of the 
process in Fig. 83. At step S831 , the content ID is read 
out from the content data, and at step S832, the content 
ID and the program localization by the user are read out 
from the data managing file shown in Fig. 84. 
[0787] At step S833, determination is made based on 
the data in the data managing file. If "the user set pro- 
gram localization" is set to "Yes", then at step S834,'the 
user is prompted to input a password, and at step S835, 
a decryption key is generated based on the input pass- 
word. This decryption key generating process uses a 
process algorithm corresponding to the encryption key 
generating process, that is : a decryption key generating 
algorithm that enables data encrypted based on a cer- 
tain password to be decrypted with a decryption key 
generated based on the same password. 
[0788] If it is determined at step S833 that the program 
localization by the user is set to "No", then at step S837, 
the system common key stored in the internal memory 
of the recording and reproducing device 300 is used to 
generate the save data decryption key Ksav by using 
the system signature key Ksys. Alternatively, an encryp- 
tion key different from the other keys which has been 
separately saved to the internal memory 307 of the re- 
cording and reproducing device 300 may be used as the 
save data encryption key Ksav. 

[0789] At step S836, the decryption key Ksav gener- 
ated at step S835 or S837 is used to decrypt the save 
data stored in the recording device, and at step S836, 
the recording and reproducing device reproduces and 
executes the save data. 

[0790] According to the save data storage and repro- 
duction process flows shown in Figs. 83 and 85, save 
data for which "Yes" is selected for "the user set program 
localization" are encrypted and decrypted with the key 
based on the user input password, so that these save 
data can be decrypted and used only if the same pass- 
word is input, thereby improving the security of the save 
data. 



[0791] The several aspects of the save data storage 
and reproduction processes have been described, but 
it is also possible to implement a process obtained by 
merging the above described processes together, for 
5 example, an aspect of generating save data encryption 
and decryption keys using an arbitrary combination of 
the password, the recording and reproducing device ID, 
the content ID, and others. 



[0792] As described above, the data processing ap- 
paratus according to the present invention improves the 
security of provided contents and allow such contents 
to be used only by valid users, using the configuration 
wherein the recording and reproducing device 300 ex- 
ecutes processes such as authentication and encryp- 
tion on various content data provided by the medium 
500 (see Fig. 3) or the communication means 600 and 
then stores the data in the recording device. 
[0793] As understood from the above description, the 
input content is authenticated, encrypted, and decrypt- 
ed using the various signature keys, master keys, and 
integrity-check-value-generating keys (see Fig. 18) 
stored in the internal memory 307 configured in the cryp- 
tography process section 302 of the recording and re- 
producing device 300. The internal memory 307 storing 
the key information is desirably characterized to restrain 
external illegal reads in that it comprises a semiconduc- 
tor chip that essentially rejects external accesses and 
has a multilayer structure, an internal memory sand- 
wiched between dummy layers of aluminum or the like 
or arranged in the lowest layer, and a narrow range of 
operating voltages and/or frequencies. If, however, 
these key data or the like should be read out from the 
internal memory and copied to an unauthorized record- 
ing and reproducing device, the copied key information 
may be used for invalid usage of the content. 
[0794] A configuration for preventing the invalid use 
of a content based on invalid copying of a key will be 
described below. 

[0795] Fig. 86 is a block diagram useful in explaining 
"(17) Configuration for Excluding Invalid Apparatuses", 
which corresponds to this configuration. The recording 
and reproducing device 300 is similar to the recording 
and reproducing device shown in the above described 
Figs. 2 and 3 and has an internal memory and the pre- 
viously described various key data (Fig. 1 8) and record- 
ing and reproducing device ID. Here, the recording and 
reproducing device ID, the key data, or the like copied 
by a third person is not necessarily stored in the internal 
memory 307, but the key data orthe like in the recording 
and reproducing device 300 shown in Fig. 86 are col- 
lectively or distributrvely stored in a memory section ac- 
cessible to the cryptography process section 302 (see 
Figs. 2 and 3). 

[0796] To implement the configuration for excluding 



10 (1 7) Configuration for Excluding (Revoking) Invalid 
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invalid apparatuses, a list of invalid recording and repro- 
ducing device IDs is stored in the header section of the 
content data. As shown in Fig. 86, the content data holds 
a list of revocation list as the list of invalid recording and 
reproducing device IDs (IDdev). Further, a list integrity 
check value ICVrev is used to check the revocation list 
for tamper. The list of invalid recording and reproducing 
device IDs (IDdev) contains the identifiers IDvev of 
invalid recording and reproducing devices determined 
by the content provider or manager based on the state 
of distribution of invalid copies orthe like. The revocation 
list may be encrypted with the distribution key Kdis be- 
fore being stored. The decryption process executed by 
the recording and reproducing device is similar to, for 
example, that in the content download process in the 
above Fig. 22. 

rnygyi Here, for better understanding the revocation 
list is shown as single data in the content data in Fig. 86 
but may be contained, for example, in the previously de- 
scribed usage policy (for example, see Figs. 32 to 35), 
which is a component of the header section of the con- 
tent data. In this case, the previously described integrity 
check value ICVa is used to check the usage policy data 
containing the revocation list for tamper. If the revoca- 
tion list is contained in the usage policy, the integrity 
check value A: ICVa is used for the check and the integ- 
rity-check-value-A-generating key Kicva in the record- 
ing and reproducing device is used, thereby eliminating 
the need to store the integrity-check-value-generating 
key Kicv-rev. 

[0798] If the revocation list is contained in the content 
data as independent data, the revocation list is checked 
using the list integrity check value ICVrev for checking 
the revocation list fortamper, and an intermediate integ- 
rity check value is generated from the list integrity check 
value ICVrev and another partial integrity check value 
in the content data and is used to carry out a verification 
process. 

[0799] A method for checking the revocation list using 
the list integrity check value ICVrev for checking the rev- 
ocation list for tamper is similar to the process for gen- 
erating the integrity check value such as ICVa or ICVb 
as explained in the above described Figs. 23 and 24. 
That is, the calculation is executed in accordance with 
the ICV calculation method described in Figs. 23 and 24 
and other figures, using as a key the integrity-check-val- 
ue-generating key Kicv-rev stored in the internal mem- 
ory 307 of the recording and reproducing device cryp- 
tography process section 302 and using as a message 
the revocation list contained in the content data. The cal- 
culated integrity check value ICV-rev' and the integrity 
check value: ICV-rev stored in the header are compared 
together, and if they are equal, it is determined that the 
list have not been tampered. 

[0800] The intermediate integrity check value contain- 
ing the list integrity check value ICVrev is generated, for 
example, by using as a key the total-integrity-check-val- 
ue-generating key Kicvt stored in the infernal memory 



307 of the recording and reproducing device cryptogra- 
phy process section 302 and applying the ICV calcula- 
tion method described in Fig. 7 and other figures to a 
message string comprising the integrity check values A 
5 and B and list integrity check value ICVrev in the verified 
header, with the content integrity check value added 
thereto depending on the format, as shown in Fig. 25. 
[0801] The revocation list and the list integrity check 
value are provided to the recording and reproducing de- 
10 vice 300 via the medium 500 such as a DVD or a CD or 
the communication means 600 or via the recording de- 
vice 400 such as a memory card. In this case, the re- 
cording and reproducing device 300 may hold valid key 
data or illegally copied ID. 
15 [0802] Figs. 87 and 88 show a flow of a process for 
excluding invalid recording and reproducing devices in 
this configuration. Fig. 87 shows a flow of a process for 
excluding (revoking) invalid recording and reproducing 
devices if a content is provided by the medium 500 such 
20 as a DVD or a CD or the communication means 600, 
while Fig. 88 shows a flow of a process for excluding 
(revoking) invalid recording and reproducing devices if 
a content is provided by the recording device 400 such 
as a memory card. 
25 [0803] First, the process flow in Fig. 87 will be ex- 
plained. At step S901 , the medium is installed and a re- 
quest is made for a content, that is, a reproduction or 
download process. The process shown in Fig. 87 corre- 
sponds to a step executed, for example, before instal- 
30 lation of the medium such as DVD or the like in the re- 
cording device followed by the download process. The 
download process is as previously described with refer- 
ence to Fig. 22 and is executed as a step before the 
process flow in Fig. 22 or a process inserted into this 
35 process flow. 

[0804] If the recording and reproducing device 300 re- 
ceives a content via the communication means such as 
a network, then at step S911 , a communication session 
with a content distribution service side is established, 
40 and the process then proceeds to step S902. 

[0805] At step S902, the revocation list (see Fig. 86) 
is obtained from the header section of the content data. 
In this list obtaining process, if the content is present in 
the medium, the control section 301 shown in Fig. 3 
45 reads it out therefrom via the read section 304. If the 
content is obtained from the control section, the com- 
munication means 301 shown in Fig. 3 receives it from 
the content distributing side via the communication sec- 
tion 305. 

50 [0806] Next, at step S903, the control section 301 
passes the revocation list obtained from the medium 
500 or the communication means 600, to the cryptogra- 
phy process section 302, which is then caused to exe- 
cute the check value generating process. The recording 

55 and reproducing device 300 internally has the revoca- 
tion-integrity-check-value-generating key Kicv-rev, cal- 
culates the integrity check value ICV-rev' in accordance 
with the ICV calculation method described in Figs. 23 
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and 24 and other figures, by applying the integrity- 
check-value-generating key Kicv-rev using the received 
revocation list as a message, and compares the result 
of the calculation with the integrity check value: ICV-rev 
stored in the header to determine that the list have not 
been tampered if they are equal (Yes at step S904). If 
the values are not equal, the recording and reproducing 
device determines that the list has been tampered, and 
the process proceeds to step S909 to indicate a process 
error to end the process. 

[0807] Then at step S905, the control section 306 of 
the recording and reproducing device cryptography 
process section 302 causes the encryption/decryption 
section 308 of the recording and reproducing device 
cryptography process section 302 to calculate the total 
integrity check value ICVf . The total integrity check val- 
ue ICVt' is generated by using as a key the system sig- 
nature key Ksys stored in the internal memory 307 of 
the recording and reproducing device cryptography 
process section 302 and encrypting the intermediate in- 
tegrity check value based on the DES, as shown in Fig. 
25. The verification process with each partial integrity 
check value such as the ICVa or ICVb is omitted from 
the process flow shown in Fig. 87, but verification with 
these partial check values is carried out depending on 
the data format as in the process flow in the previously 
described Figs. 39 to 45. 

[0808] Then at step S906, the generated total integrity 
check value ICVf is compared with the integrity check 
value ICVt in the header, and if they are equal (Yes at 
step S906), the process advances to step S907. if the 
values are not equal, the recording and reproducing de- 
vice determines that the list has been tampered, and the 
process proceeds to step S909 to indicate a process er- 
ror to end the process. 

[0809] As previously described, the total integrity 
check value ICVt is used to check all the partial integrity 
check value contained in the content data, such as the 
ICVa and ICVb and integrity check values for corre- 
sponding content blocks which are dependent on the 
data format. In this case, however, the list integrity check 
value ICVrev for checking the revocation list for tamper 
is added to the partial integrity check values, and all of 
these integrity check values are checked for tamper. If 
the total integrity check value equals the integrity check 
value: ICVt stored in the header, it is determined that 
none of the ICVa and ICVb, the content block integrity 
check values, and the list integrity check value ICVrev 
have not been tampered. 

[081 0] Further at step S907, the revocation list, which 
has been determined to be free from tamper, is com- 
pared with the recording and reproducing device ID (ID- 
dev) stored in this recording and reproducing device 
300. 

[0811] If the list of invalid recording and reproducing 
device IDs IDdev read out from the content data con- 
tains the identifier IDdev of this recording and reproduc- 
ing device, this recording and reproducing device 300 



is determined to have illegally copied key data. The 
process then advances to step S909 to abort the sub- 
sequent procedure. For example, the process disables, 
for example, the execution of the content download 

5 process in Fig. 22. 

[0812] At step S907, if the list of invalid recording and 
reproducing device IDs IDdev is determined not to con- 
tain the identifier IDdev of this recording and reproduc- 
ing device, this recording and reproducing device 300 

10 is determined to have valid key data. The process pro- 
ceeds to step S908 to enable the subsequent proce- 
dure, for example, the program executing process orthe 
content download process in Fig. 22 or other figures. 
[0813] Fig. 88 shows a process executed to repro- 

15 duce content data stored in the recording device 400 
such as a memory card. As previously described, the 
recording device 400 such as a memory card and the 
recording and reproducing device 300 carry out the mu- 
tual authentication process described in Fig. 20 (step 

20 S921 ). Only if the mutual authentication is successful at 
step S922, the process proceeds to step S923 and the 
subsequent processing, whereas if the mutual authen- 
tication fails, an error occurs at step S930 to prevent the 
subsequent processing from being executed. 

25 [0814] At step S923, the revocation list (see Fig. 86) 
is obtained from the header section of the content data. 
The processing at the subsequent steps S924 to 930 is 
similar to the corresponding processing in Fig. 87. That 
is, the list is verified with the list integrity check value 

30 (S924 and S925) and with the total integrity check value 
(S926 and S927), and the list entry is compared with the 
recording and reproducing device ID IDdev (S928). 
Then, if the list of invalid recording and reproducing de- 
vice IDs IDdev contains the identifier IDdev of this re- 

35 cording and reproducing device, this recording and re- 
producing device 300 is determined to have illegally 
copied key data, and the process then advances to step 
S930 to abort the subsequent procedure. For example, 
the process disables, for example, the execution of the 

40 content reproduction process in Fig. 28. On the other 
hand, if the list of invalid recording and reproducing de- 
vice IDs IDdev is determined not to contain the identifier 
IDdev of this recording and reproducing device, this re- 
cording and reproducing device 300 is determined to 

45 have valid key data, and the process proceeds to step 
S929 to enable the subsequent procedure. 
[0815] As described above, according to the present 
data processing apparatus, the data identifying invalid 
recording and reproducing devices, that is, the revoca- 

50 tion list containing the identifiers IDdev of invalid record- 
ing and reproducing devices is contained in the content 
provided by the content provider or manager as constit- 
uent data of the header section of the content data. Be- 
fore using the content in the recording and reproducing 

55 device, the recording and reproducing device user col- 
lates the recording and reproducing device ID IDdev 
stored in the memory of this recording and reproducing 
device with the ID in the list and prevents the subse- 
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quent processing if matching data are found. Conse- 
quently, the content can be prevented from being used 
by invalid recording and reproducing devices that store 
copied key data in their memory. 

(18) Method for Configuring and Manufacturing Secure 
Chip 

[0816] As previously described, the internal memory 
307 of the recording and reproducing device cryptogra- 
phy process section 302 or the internal memory 405 of 
the recording device 400 holds important information 
such as the cryptography keys and thus needs to be 
structured to reject external invalid reads. Thus, the re- 
cording and reproducing device cryptography process 
section 302 and the recording device cryptography 
process section 401 are configured as a tamper resist- 
ant memory characterized to restrain external illegal 
reads in that it comprises, for example, a semiconductor 
chip that rejects external accesses and has a multilayer 
structure, an internal memory sandwiched between 
dummy layers of aluminum or the like or arranged in the 
lowest layer, and a narrow range of operating voltages 
and/or frequencies. 

[0817] As understood from the above description, 
however, data such as the recording and reproducing 
device signature key Kdev which vary depending on the 
recording and reproducing device must be written to the 
internal memory 307 of the recording and reproducing 
device cryptography process section 302. Additionally, 
data rewrites or reads must be difficult after individual 
information for each chip, for example, identification in- 
formation (ID) and encryption key information has been 
written to a non-volatile storage area in the chip, for ex- 
ample, a flash memory or an FeRAM, for example, after 
shipment. 

[0818] A conventional method for making data reads 
and rewrites difficult comprises, for example, making a 
data write command protocol secret or separating signal 
lines on the chip for accepting the data write command 
from communication signal lines used after completion 
of the product so that the data write command will not 
be effective unless the signal is directly transmitted to 
the chip on a substrate. 

[0819] Even with such a conventional method, how- 
ever, those who have a technical knowledge of storage 
elements can output signals to a data write area of the 
chip if they have a facility and a technique for driving the 
circuit, and even if a data write command protocol is se- 
cret, there is always a possibility that the protocol may 
be analyzed. 

[0820] Distribution of elements for storing cryptogra- 
phy process data which allow secret data to be modified 
may threaten the entire cryptography process system. 
In addition, to prevent data from being read out, it is pos- 
sible to avoid implementing the data read command. In 
this case, however, even if a regular data write has been 
executed, it is impossible to determined whether or not 



the written data has been accurately written, resulting 
in a possibility of supplying chips with inappropriate data 
written thereto. 

[0821] In view of these conventional techniques, the 
present invention provides a secure chip configuration 
that enables data to be accurately written to a non-vol- 
atile memory such as a flash memory or an FeRAM 
while restraining data from being read out therefrom, as 
well as a method for manufacturing such a secure chip. 
[0822] Fig. B9 shows a security chip configuration ap- 
plicable to, for example, the above described recording 
and reproducing device cryptography process section 
302 or the cryptography process section 401 of the re- 
cording device 400. Fig. 89(A) shows a security chip 
configuration formed during a chip manufacturing proc- 
ess, that is, during a data write process, and Fig. 89(B) 
shows an example of the configuration of a product such 
as the recording and reproducing device 300 or the re- 
cording device 400 which has a security chip mounted 
in the product and having data written thereto. 
[0823] During the manufacturing process, a process 
section 8001 of the security chip has mode specifying 
signal lines 8003 and various command signal lines 
8004 connected thereto and write or read data to orf rom 
a storage section 8002 comprising a non-volatile mem- 
ory, depending on, for example, whether the chip is in a 
data write mode or a data read mode. 
[0824] On the other hand, in the security chip mount- 
ed product in Fig. 89(B), the security chip is connected 
to an externally connected interface, peripheral equip- 
ment, and other elements via general purpose signal 
lines, whereas the mode signal lines 8003 are not con- 
nected. Specific processing for the mode signal lines 
8003 includes connecting these lines 8003 to the 
ground, increasing the voltage on these lines to Vcc, cut- 
ting them, sealing them with an insulator resin, etc. Such 
processing hinders the mode signal lines in the security 
chip from being accessed after shipment, thereby pre- 
venting data from being externally read out from the chip 
or written thereto. 

[0825] Further, the security chip 8000 of this configu- 
ration hinders data from being written to the storage sec- 
tion 8002 while hindering written data from being read 
out therefrom, thereby preventing invalid data writes or 
reads even if a third person successfully accesses the 
mode signal lines 8003. Fig. 90 shows a process flow 
of a data write to or a data read from the security chip 
of this configuration. 

[0826] At step S951 , the mode signal lines 8003 are 
set for a data write or read mode. 
[0827] At step S952, authentication information is tak- 
en out from the chip. The security chip of this configu- 
ration stores information required for the authentication 
process, such as a password and key information for 
the authentication process for the cryptography tech- 
nique, for example, by wires or the mask ROM configu- 
ration. At step S952, this authentication information is 
read out to execute the authentication process. If, for 
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example, regular data write jig and data read device are 
connected to the general purpose signal lines to execute 
the authentication process, the authentication will be 
successful (Yes at step S953). If, however, invalid data 
write jig and data read device are connected to the gen- 
eral purpose signal lines to execute the authentication 
process, the authentication will fail (No at step S953) 
and the process is stopped. The authentication process 
can be executed, for example, in accordance with the 
mutual authentication process procedure previously de- 
scribed in Fig. 13. The process section 8001 shown in 
Fig. 89(A) has a configuration capable of such an au- 
thentication process. This can be implemented, for ex- 
ample, using a configuration similar to a command reg- 
ister integrated into the control section 403 of the cryp- 
tography process section 401 of the recording device 
400 shown in the previously described Fig. 29. For ex- 
ample, the process section of the chip in Fig. 89(A) has 
a configuration similar to the command register integrat- 
ed into the control section 403 of the cryptography proc- 
ess section 401 of the recording device 400 shown in 
Fig. 29, and carries out an appropriate process to enable 
the authentication process sequence to be executed, in 
response to an input of a predetermined command from 
an apparatus connected to the various command signal 
lines 8004. 

[0828] Only if the authentication process is success- 
ful, the process section 8001 accepts the data write or 
read command to execute the data write (step S955) or 
read (step S956) process. 

[0829] As described above., the security chip of this 
configuration is configured to execute the authentication 
process on a data write or read, thereby preventing an 
unauthorized third person from reading or writing data 
to or from the storage section of the security chip. 
[0830] Next, Fig. 91 shows an embodiment of a se- 
curer element configuration. In this example, the stor- 
age section 8200 of the security chip is separated into 
two areas; one of the areas is a Read Write (RW) area 
8201 to and from which data can be written and read, 
while the other is a Write Only (WO) area 8202 to which 
data can only be written. 

[0831] In this configuration, cryptography key data. ID 
data, and other data which require high security are writ- 
ten to the Write Only (WO) area 8202, whereas integrity 
check data and other data which do not require so high 
security are written to the Read Write (RW) area 8201. 
[0832] As a process for reading data out from the 
Read Write (RW) area 8201 , the process section 8001 
executes a data read process involving the authentica- 
tion process described in the above described Fig. 90. 
The data write process, however, is executed following 
the flow in Fig. 92. 

[0833] At step S961 in Fig. 92, the mode signal lines 
8003 are set for the write mode, and at step S962, an 
authentication process similar to that described in the 
above Fig. 90 is executed. When the authentication 
process is successful, the process proceeds to step 



S963 to output to the process section 8001 , a command 
for writing information such as key data which requires 
high security to the Write Only (WO) area 8202 via the 
command signal lines 8004, while writing check data or 
5 other data which do not require so high security to the 
Read Write (RW) area 8201 . 

[0834] At step S964, on receiving the command, the 
process section 8001 executes a data write process on 
the Write Only (WO) area 8202 or the Read Write (RO) 
10 area 8201 depending on the command. 

[0835] In addition, Fig. 93 shows a flow of a process 
for verifying data written to the Write Only (WO) area 
8202. 

[0836] At step S971 in Fig. 93, the process section 

15 8001 causes the Write Only (WO) area 8202 to execute 
the cryptography process based on the written data. 
Like the above authentication process executing config- 
uration, this execution configuration is implemented by 
a configuration for sequentially executing the cryptogra- 

20 phy process sequence stored in the command register. 
Additionally, the cryptography process algorithm exe- 
cuted in the process section 8001 is not particularly lim- 
ited, but for example, the previously described DES al- 
gorithm can be carried out. 

25 [0837] Then at step S972, a verification device con- 
nected to the security chip receives the result of the 
cryptography process from the process section 8001. 
Then at step S973, the result of the application of a cryp- 
tography process similar to the algorithm executed by 

30 the process section 8001 on the regular write data writ- 
ten to the storage section at step S973 is compared with 
the result of encryption from the process section 8001 . 
[0838] If the compared results are identical, ft is veri- 
fied that the data written to the Write Only (WO) area 

35 8202 are correct. 

[0839] With this configuration, if the authentication 
process should be deciphered to enable the read com- 
mand to be executed, data can be read out only from 
the Read Write (RW) area 8201 , while data written to 

^0 the Write Only (WO) area 8202 cannot be read out; thus 
this configuration provides much higher security. In ad- 
dition, unlike chips that prohibit data reads, this chip in- 
cludes the Read Write (RW) area 8201 to enable mem- 
ory accesses to be validated. 

^5 [0840] This invention has been described with refer- 
ence to the particular embodiments. Obviously, howev- 
er, modifications or substitutions may be made to the 
present invention by those skilled in the art without de- 
viating from the spirits thereof. That is, the present in- 

50 vention has been disclosed for illustrative purposes only 
and should not be interpreted in a restrictive manner. In 
addition, in the above described embodiments, the re- 
cording and reproducing device capable of recording 
and reproducing contents are described by way of ex- 

55 ample. However, the configuration of the present inven- 
tion is applicable to apparatuses capable of only record- 
ing or reproducing data, and the present invention can 
be implemented in personal computers, game appara- 
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tuses, and other various data processing apparatuses 
in general. To determine the points of the present inven- 
tion, the claims set forth at the beginning should be ref- 
erenced. 

5 

Industrial Applicability 

[0841] The present invention can be utilized in appa- 
ratuses and systems which are capable of reproducing 
various contents such as sounds, images, games, and 10 
programs, which can be obtained via a storage medium, 
such as a DVD and a CD, or via various wired and radio 
communication means such as CATV, Internet, and sat- 
ellite communication, in a recording and reproducing a 
user has, and storing the contents in a special recording 15 
device, such as a memory card, a hard disk, and a 
CD-R, and at the same time, of offering security in which 
the utilization that a contents provider wants is limited 
in the case of using the contents stored in the recording 
device, and a third party otherthan regular users is pre- 20 
vented from illegally using the provided contents. 



Claims 

25 

1 . A data processing apparatus for processing con- 
tent data provided by a recording or communication 
medium, characterized in that said apparatus 
comprises: 

30 

a cryptography process section for executing a 
cryptography process on said content data; and 
a control section for executing control for said 
; cryptography process section, and 
said cryptography process section: 35 

is configured to generate partial integrity 
check values as integrity check values for 
a partial data set containing one or more 
partial data obtained by a content data- 40 
constituting section into a plurality of parts, 
and to collate the generated integrity check 
values to verify said partial data, and 
generates an intermediate integrity check 
value based on a partial integrity check val- 45 
ue set data string containing at least one 
or more of said partial integrity check val- 
ues, and uses the generated intermediate 
integrity check value to verify the entirety 
of the plurality of partial data sets corre- 50 
sponding to the plurality of partial integrity 
check values constituting said partial integ- 
rity check value set. 

2. The data processing apparatus according to 55 
Claim 1 , characterized in that: 

said partial integrity check value is generated 



by means of a cryptography process with a par- 
tial-check-value-generating key applied there- 
to, using partial data to be checked, as a mes- 
sage, 

said intermediate integrity check value is gen- 
erated by means of a cryptography process 
with an general-check-value-generating key 
applied thereto, using a partial integrity check 
value set data string to be checked, as a mes- 
sage, and 

said cryptography process section is config- 
ured to store said partial-integrity-check-value- 
generating value and said general-integrity- 
check-value-generating key. 

3. The data processing apparatus according to 
Claim 1, characterized in that: said cryptography 
process has plural types of partial-check-value- 
generating key corresponding to generated partial 
integrity check values. 

4. The data processing apparatus according to 
Claim 2, characterized in that: 

said cryptography process is a DES cryptogra- 
phy process, and 

said cryptography process section is config- 
ured to execute the DES cryptography process. 

5. The data processing apparatus according to 
Claim 2, characterized in that: 

said partial integrity check value is a message 
authentication code (MAC) generated in an 
DES-CBC mode using partial data to be 
checked, as a message, 
said intermediate value is a message authenti- 
cation code (MAC) generated in a DES-CBC 
mode using a partial integrity check value set 
data string to be checked, as a message, and 
said cryptography process section is config- 
ured to execute the cryptography process in the 
DES-CBS mode. 

6. The data processing apparatus according to 
Claim 5, characterized In that: in the DES-CBC 
mode-based cryptography process configuration of 
said cryptography process section, Triple DES is 
applied only in part of a message string to be proc- 
essed. 

7. The data processing apparatus according to 
Claim 1 , characterized in that: 

said data processing apparatus has a signature 
key, and 

said cryptography process section: is config- 
ured to apply a value generated from said in- 
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termediate value by means of said signature 
key-applied cryptography process as a colla- 
tion value for data verification. 

8. The data processing apparatus according to 5 
Claim 7, characterized in that: 

said data processing apparatus has a plurality 
of different signature keys as signature keys, 
and 10 
said cryptography process section: is config- 
ured to apply one of said plurality of different 
signature keys which is selected depending on 
a localization of said content data, to the cryp- 
tography process for said intermediate integrity 15 
check value to obtain the collation value for da- 
ta verification. 

9. The data processing apparatus according to 
Claim 8, characterized in that: said data process- 20 
ing apparatus has a common signature key com- 
mon to all entities of a system for executing a data 
verifying process and an apparatus-specific signa- 
ture key specific to each apparatus that executes a 
data verifying process. 25 

10. The data processing apparatus according to 
Claim 1, characterized in that: 

said partial integrity check value contains one 30 
or more header section integrity check values 
generated for intra-header-section data partly 
constituting data and one or more content in- 
tegrity check values generated for content 
block data partly constituting the data, and 35 
said cryptography process is configured to gen- 
erate one or more header section integrity 
check values for a partial data set in said intra- 
header-section data to execute a collation 
process, generate one or more content integrity 40 
check values for a partial data set in said intra- 
content-section data to execute a collation 
process, and further generate a general integ- 
rity check value based on all said header sec- 
tion integrity check values and said content in- 45 
tegrity check values generated, to execute a 
collation process in order to verify the data. 

11. The data processing apparatus according to 
Claim 1, characterized in that: so 

said partial integrity check value contains one 
or more header section integrity check values 
generated for intra-header-section data partly 
constituting data, and 55 
said cryptography process is configured to gen- 
erate one or more header section integrity 
check values for a partial data set in said intra- 



header-section data to execute a collation 
process and further generate a general integrity 
check value based on said one or more header 
section integrity check values generated and 
on content block data constituting part of said 
data, to execute a collation process in order to 
verify the data. 

12. The data processing apparatus according to 
Claim 1 , characterized by further comprising: a re- 
cording device for storing data validated by said 
cryptography process section. 

13. The data processing apparatus according to 
Claim 12 : characterized in that: 

said control section is configured so that if in 
the process executed by said cryptography 
process section to collate the partial integrity 
check value, the collation is not established, 
and 

said control section suspends the process for 
storing data in said recording device. 

14. The data processing apparatus according to 
Claim 1 , characterized by further comprising: a re- 
production process section for reproducing data 
validated by said cryptography process section. 

15. The data processing apparatus according to 
Claim 14, characterized in that: 

If in the process executed by said cryptography 
process section to collate the partial integrity 
check value, the collation is not established, 
and 

said control section suspends the reproduction 
process in said reproduction process section. 

16. The data processing apparatus according to 
Claim 14, characterized by comprising: control 
means for collating only the header section integrity 
check values in the data during the process execut- 
ed by said cryptography process section to collate 
the partial integrity check values and transmitting 
data for which collation of the header section integ- 
rity check values has been established, to said re- 
production process section for reproduction. 

17. A data processing apparatus for processing 
content data provided by a recording or communi- 
cation medium, characterized in that said appara- 
tus comprises: 

a cryptography process section for executing a 
cryptography process on said content data; and 
a control section for executing control for said 
cryptography process section, and 
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said cryptography process section: is config- 
ured to generate, if data to be verified are en- 
crypted, integrity check values for the data to 
be verified by means of a signature data-ap- 
plied cryptography process from data on arith- 
metic operation results obtained by executing 
an arithmetic operation process on decrypted 
data obtained by executing a decryption proc- 
ess on the encrypted data. 

18. The data processing apparatus according to 
Claim 17, characterized in that: said arithmetic op- 
eration process comprises performing an exclu- 
sive-OR operation on decrypted data every prede- 
termined bytes, the decrypted data being obtained 
by decrypting said encrypted data. 

19. A data processing method for processing con- 
tent data provided by a recording or communication 
medium, characterized in that said method: 

generates partial integrity check values as in- 
tegrity check values for a partial data set con- 
taining one or more partial data obtained by a 
content data constituting section into a plurality 
of parts, and collates the generated integrity 
check values to verify said partial data, and 
generates an intermediate integrity check value 
based on a partial integrity check value set data 
string containing at least one or more of said 
partial integrity check values, and uses the gen- 
erated intermediate integrity check value to ver- 
ify the entirety of the plurality of partial data sets 
corresponding to the plurality of partial integrity 
check values constituting said partial integrity 
check value set. 

20. The data processing method according to Claim 

19, characterized in that: 

said partial integrity check value is generated 
by means of a cryptography process with a par- 
tial-check-value-generating key applied there- 
to, using partial data to be checked, as a mes- 
sage, and 

said intermediate integrity check value is gen- 
erated by means of a cryptography process 
with an general-check-value-generating key 
applied thereto, using a partial integrity check 
value set data string to be checked, as a mes- 
sage. 

21 . The data processing method according to Claim 

20, characterized in that: said partial integrity 
check value is generated by applying different types 
of partial-check-value-generating keys correspond- 
ing to generated partial integrity check values. 
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22. The data processing method according to Claim 
20, characterized in that: said cryptography proc- 
ess is a DES cryptography process. 

23. The data processing method according to Claim 
19, characterized in that: 

said partial integrity check value is a message 
authentication code (MAC) generated in a 
DES-CBC mode using partial data to be 
checked, as a message, and 
said intermediate value is a message authenti- 
cation code (MAC) generated in a DES-CBC 
mode using a partial integrity check value set 
data string to be checked, as a message. 

24. The data processing method according to Claim 
19, characterized in that: a value generated from 
said intermediate value by means of a signature 
key-applied cryptography process is applied as a 
collation value for data verification. 

25. The data processing method according to Claim 

24, characterized in that: different signature keys 
are applied to the cryptography process for said in- 
termediate integrity check value depending on a lo- 
calization of said content data : to obtain the colla- 
tion value for data verification. 

26. The data processing method according to Claim 

25, characterized in that: a common signature key 
common to all entities of a system for executing a 
data verifying process or an apparatus-specific sig- 
nature key specific to each apparatus that executes 
a data verifying process is selected and used as 
said signature key depending on the localization of 
the content data. 

28. The data processing method according to Claim 
1 9, characterized in that: 

said partial integrity check value contains one 
or more header section integrity check values 
generated for intra-header-section data partly 
constituting data and one or more content in- 
tegrity check values generated for intra-con- 
tent-section data partly constituting the data, 
and 

a data verifying process: 

generates one or more header section in- 
tegrity check values for a partial data set in 
said intra-header-section data to execute 
a collation process; 

generates one or more content integrity 
check values for a partial data set in said 
intra-content-section data to execute a col- 
lation process; and 
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further generates a general integrity check 
value based on all said header section in- 
tegrity check values and said content integ- 
rity check values generated, to execute a 
collation process in order to verify the data. 5 

28. The data processing method according to Claim 
19, characterized in that: 

said partial integrity check value contains one 10 
or more header section integrity check values 
generated for intra- header-section data partly 
constituting data, and 
the data verifying process: 

generates one or more header section in- 
tegrity check values for a partial data set in 
said intra-header-section data to execute 
a collation process; and 
further generates a general integrity check 
value based on said one or more header 
section integrity check values generated 
and on content block data constituting part 
of said data, to execute a collation process 
in order to verify the data. 25 

29. The data processing method according to Claim 
19, characterized by further comprising: a process 
for storing, after data verification, storing validated 
data. 30 



15 



20 



ing the partial integrity check values and trans- 
mits data for which collation of the header sec- 
tion integrity check values has been estab- 
lished, to said reproduction process section for 
reproduction. 

34. The data processing method for processing 
content data provided by a recording or communi- 
cation medium, the method being characterized in 
that said method: 

if data to be verified are encrypted, executes an 
arithmetic operation process on decrypted data 
obtained by decrypting the encrypted data, 
executes a signature key-applied cryptography 
process on data on arithmetic operation results 
obtained by said arithmetic operation, to gen- 
erate integrity check values for said data to be 
verified. 

35. The data processing method according to C laim 
34, characterized in that: said arithmetic operation 
process comprises performing an exclusive-OR op- 
eration on decrypted data every predetermined 
bytes, the decrypted data being obtained by de- 
crypting said encrypted data. 

36. A data verifying value imparting method for a 
data verifying process, characterized in that said 
method: 



30. The data processing method according to Claim 
29. characterized in that: if in the process for col- 
lating said partial integrity check value, the collation 

is not established, control is executed such as to 35 
suspend the process for storing data in said record- 
ing device. 

31. The data processing method according to Claim 

1 9. characterized by further comprising: a data re- 40 . 
production process for reproducing data after the 
data verification. 

32. The data processing method according to Claim 

31. characterized in that: *s 

if in the process for collating said partial integ- 
rity check value, the collation is not established, 
and 

control is executed such as to suspend the re- so 
production process executed in said reproduc- 
tion process section. 

33. The data processing method according to Claim 

31 , characterized in that said method: 55 

collates only the header section integrity check 
values in the data during the process for collat- 



imparts partial integrity check values as integ- 
rity check values for a partial data set contain- 
ing one or more partial data obtained by a con- 
tent data constituting section into a plurality of 
parts, and 

imparts to data to verified, an intermediate in- 
tegrity check value used to verify a partial in- 
tegrity check value set data string containing at 
least one or more of said partial integrity check 
values. 

37. The data verifying value imparting method ac- 
cording to Claim 36, characterized in that: 

said partial integrity check value is generated 
by means of a cryptography process with a par- 
tial-check-value-generating key applied there- 
to, using partial data to be checked, as a mes- 
sage, and 

said intermediate integrity check value is gen- 
erated by means of a cryptography process 
with an general-check-value-generating key 
applied thereto, using a partial integrity check 
value set data string to be checked, as a mes- 
sage. 

38. The data verifying value imparting method ac- 
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cording to Claim 37, characterized in that: said 
partial integrity check value is generated by apply- 
ing different types of partial-check-value-generat- 
ing keys corresponding to generated partial integri- 
ty check values. 

39. The data verifying value imparting method ac- 
cording to Claim 37, characterized in that: said 
cryptography process is a DES cryptography proc- 



40. The data verifying value imparting method ac- 
cording to Claim 36, characterized in that: 

said partial integrity check value is a message 
authentication code (MAC) generated in a 
DES-CBC mode using partial data to be 
checked, as a message : and 
said intermediate value is a message authenti- 
cation code (MAC) generated in a DES-CBC 
mode using a partial integrity check value set 
data string to be checked, as a message. 

41. The data verifying value imparting method ac- 
cording to Claim 36, characterized in that: a value 
generated from said intermediate value by means 
of a signature key-applied cryptography process is 
applied as a collation value for data verification. 

42. The data verifying value imparting method ac- 
cording to Claim 41 , characterized in that: different 
signature keys are applied to the cryptography 
process- for said intermediate integrity check value 
depending on a localization of said content data, to 
obtain the collation value for data verification. 
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45. The data verifying value imparting method ac- 
cording to Claim 36, characterized in that: 

said partial integrity check value contains one 
or more header section integrity check values 
for intra-header-section data partly constituting 
data, and 

said method is set so that a general integrity 
check value is generated for said one or more 
header section integrity check values and con- 
tent block data partly constituting said data, to 
verify the data. 

46. A program providing medium for providing a 
computerprogramforcausing a data verifying proc- 
ess to be executed on a computer system to verify 
thai data are vaiid, ihe program providing medium 
being characterized in that said computer pro- 
gram comprises steps of: 

executing a collation process using partial in- 
tegrity check values generated as integrity 
check values for a partial data set containing 
one or more partial data obtained by dividing 
data a plurality of parts . and 
using an intermediate integrity check value 
based on a partial integrity check value set ob- 
tained by combining a plurality of said partial 
integrity check values together, to verify the en- 
tirety of a plurality of partial data sets corre- 
sponding to the plurality of partial integrity 
check values constituting said partial integrity 
check value set. 

47. A data processing apparatus comprising: 



43. The data verifying value imparting method ac- 
cording to Claim 42, characterized in that: a com- 
mon signature key common to all entities of a sys- 
tem for executing a data verifying process or an ap- 
paratus-specific signature key specific to each ap- 
paratus that executes a data verifying process is se- 
lected and used as said signature key depending 
on the localization of the content data. 

44. The data verifying value imparting method ac- 
cording to Claim 36, characterized in that: 

said partial integrity check value contains one 
or more header section integrity check values 
for in intra-header-section data partly constitut- 
ing data and one or more content integrity 
check values for intra-content-section data 
partly constituting the data, and 
said method is set so that a general integrity 
check value is generated for all said header 
section integrity check values and said content 
integrity check values, to verify the data. 
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an encryption processing section that executes 
encryption processing of at least one of data 
encryption, data decryption, data verification, 
authentication processing and signature 
processing; and 

a storage section that stores master keys to 
generate keys used for said encryption 
processing, 

characterized in that said encryption 
processing section is configured to generate indi- 
vidual keys necessary to execute said encryption 
processing based on said master keys, an encryp- 
tion processing target apparatus or data identifica- 
tion data. 

48. The data processing apparatus according to 
Claim 47, characterized in that said data process- 
ing apparatus is a data processing apparatus that 
performs encryption processing on transfer data via 
a storage medium or communication medium, 



87 



BNSDCCID: <EP 1 195734A1_I_> 



173 



EP 1 195 734 A1 



4 

174 



said storage section stores a distribution key 
generation master key MKdis for generating a 
distribution key Kdis used for encryption 
processing of said transfer data, and 
said encryption processing section executes 5 
encryption processing based on the distribution 
key generation master key MKdis stored in said 
storage section and a data identifier, which is 
identification data of said transfer data and gen- 
erates said transfer data distribution key Kdis. 10 

49. The data processing apparatus according to 
Claim 47, characterized in that said data process- 
ing apparatus is a data processing apparatus that 
performs authentication processing of an externally is 
connected apparatus to/from which data is trans- 
ferred, 

said storage section stores an authentication 
key generation master key MKake for generat- 20 
ing an authentication key Kake of said external- 
ly connected apparatus, and 
said encryption processing section executes 
encryption processing based on the authenti- 
cation key generation master key MKake 25 
stored in said storage section and an externally 
connected apparatus identifier, which is identi- 
fication data of said externally connected appa- 
ratus and generates the authentication key 
Kake of said externally connected apparatus. 30 

50. The data processing apparatus according to 
Claim 47, characterized in that said data process- 
ing apparatus is a data processing apparatus that 
performs signature processing on data, 35 

said storage section stores a signature key 
generation master key MKdev for generating a 
data processing apparatus signature key Kdev 
of said data processing apparatus, and *o 
said encryption processing section executes 
encryption processing based on the signature 
key generation master key MKdev stored in 
said storage section and a data processing ap- 
paratus identifier, which is identification data of 45 
said data processing apparatus and generates 
the data processing apparatus signature key 
Kdev of said data processing apparatus. 

51. The data processing apparatus according to so 
Claim 47, characterized in that individual key gen- 
eration processing that generates an individual key 
necessary to execute encryption processing based 

on said master key and identification data of the ap- 
paratus or data subject to encryption processing is 55 
encryption processing that uses at least part of 
identification data of the apparatus or data subject 
to encryption processing as a message and applies 



said master key as the encryption key. 

52. The data processing apparatus according to 
Claim 51, characterized in that said encryption 
processing is encryption processing using a DES 
algorithm. 

53. A data processing system configured by a plu- 
rality of data processing apparatuses, character- 
ized in that each of said plurality of data processing 
apparatuses having a common master key to gen- 
erate a key used for encryption processing of at 
least one of data encryption, data decryption data 
verification, authentication processing and signa- 
ture processing, and 

each of said plurality of data processing appa- 
ratuses generating a common individual key 
necessary to execute said encryption process- 
ing based on said master key and identification 
data of the apparatus or data subject to encryp- 
tion processing. 

54. The data processing system according to Claim 

53, characterized in that said plurality of data 
processing apparatuses is configured by a contents 
data providing apparatus that supplies contents da- 
ta and a contents data utilization apparatus that uti- 
lizes the contents data, 

both the contents data providing apparatus and 
contents data utilization apparatus have a dis- 
tribution key generation master key to generate 
a contents data distribution key used for en- 
cryption processing of circulation contents data 
between said contents data providing appara- 
tus and contents data utilization apparatus, 
said contents data providing apparatus gener- 
ates a contents data distribution key based on 
said distribution key generation master key and 
contents identifier, which is an identifier of sup- 
plied contents data and executes encryption 
processing on said contents data, and 
said contents data utilization apparatus gener- 
ates a contents data distribution key based on 
said distribution key generation master key and 
contents identifier, which is an identifier of sup- 
plied contents data and executes decryption 
processing on said contents data. 

55. The data processing system according to Claim 

54, characterized in that said contents data pro- 
viding apparatus has a plurality of different distribu- 
tion key generation master keys to generate a plu- 
rality of different contents data distribution keys, 
generates a plurality of different contents data dis- 
tribution keys based on said plurality of distribution 
key generation master keys and said contents iden- 
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tifier, executes encryption processing using said 
plurality of distribution keys generated and gener- 
ates encryption contents data of a plurality of types, 
and 

5 

said contents data utilization apparatus has at 
least one distribution key generation master 
key of the plurality of different distribution key 
generation master keys owned by said con- 
tents data providing apparatus and makes de- io 
codable only encryption contents data by a dis- 
tribution key generated using the same distri- 
bution key generation master key as the distri- 
bution key generation master key owned by the 
own apparatus. 15 

56. The data processing system according to Ciaim 
53, characterized in that each of said plurality of 
data processing apparatuses stores a same con- 
tents key generation master key to generate a con- 20 
tents key used for encryption processing of con- 
tents data, 

data processing apparatus A, which is one of 
said plurality of data processing apparatuses, 25 
stores contents data encrypted by a contents 
key generated based on said contents key gen- 
eration master key and the apparatus identifier 
of said data processing apparatus A in a stor- 
age medium, 30 
different data processing apparatus B gener- 
ates a contents key based on said same con- 
tents key generation master key and the appa- 
ratus identifier of said data processing appara- 
tus A and executes decryption processing on 35 
the encrypted contents data stored by said data 
processing apparatus A in said storage medi- 
um based on said contents key generated. 

57. The data processing system according to Claim *o 
53, characterized in that said plurality of data 
processing apparatuses are configured by a host 
device and a slave device subject to authentication 
processing by said host device, 

45 

both said host device and said slave device 
have an authentication key generation master 
used for authentication processing between the 
host device and slave device, 
said slave device generates an authentication 50 
key based on said authentication key genera- 
tion master key and said slave device identifier, 
which is the identifier of said slave device and 
stores in memory in the slave device, and 
said host device generates an authentication 55 
key based on said authentication key genera- 
tion master key and the slave device identifier, 
which is the identifier of said slave device and 



executes authentication processing. 

58. A data processing method that executes en- 
cryption processing of at least one of data encryp- 
tion, data decryption, data verification, authentica- 
tion processing and signature processing, compris- 
ing: 

a key generating step of generating individual 
keys necessary to execute encryption process- 
ing based on master keys to generate the key 
used for said encryption processing and iden- 
tification data of the apparatus or data subject 
to encryption processing; and 
an encryption processing step of executing en- 
cryption processing based on the key generat- 
ed in said key generating step. 

59. The data processing method according to Claim 
58, characterized in that data processing execut- 
ed by said data processing method is encryption 
processing on transfer data via a storage medium 
or communication medium, 

said key generating step is a distribution key 
generating step of executing encryption 
processing based on a. distribution key gener- 
ation master key MKdis for generating a distri- 
bution key Kdis used for encryption processing 
of transfer data and a data identifier, which is 
identification data of said transfer data, and 
generating distribution key Kdis of said transfer 
data, and 

said encryption processing step is a step of ex- 
ecuting encryption processing on transfer data 
based on the distribution key Kdis generated in 
said distribution key generating step. 

60. The data processing method according to Claim 
58, characterized in that data processing execut- 
ed by said data processing method is authentication 
processing of an externally connected apparatus to/ 
from which data is transferred, 

said key generating step is an authentication 
key generating step of executing encryption 
processing based on an authentication key 
generation master key MKake for generating 
an authentication key Kake of said externally 
connected apparatus and an externally con- 
nected apparatus identifier, which is identifica- 
tion data of said externally connected appara- 
tus, and generating said authentication key 
Kake of said externally connected apparatus, 
and 

said encryption processing step is a step of ex- 
ecuting authentication processing of the exter- 
nally connected apparatus based on the au- 
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thentication key Kake generated in said au- 
thentication key generating step. 

61 . The data processing method according to Claim 
58, characterized in that data processing execut- 5 
ed by said data processing apparatus is signature 
processing on data, 

said key generating step is a signature key gen- 
erating step of executing encryption processing 10 
based on a signature key generation master 
key MKdev for generating a data processing 
apparatus signature key Kdev of said data 
processing apparatus and a data processing 
apparatus identifier, which is identification data *5 
of said data processing apparatus and gener- 
ating the data processing apparatus signature 
key Kdev of said data processing apparatus, 
and 

said encryption processing step is a step of ex- 20 
ecuting signature processing on data based on 
the signature key Kdev generated in said sig- 
nature key generating step. 

62. The data processing method according to Claim 25 
58, characterized in that said key generating step 

is encryption processing that uses at least part of 
data identification of the apparatus or data subject 
to encryption processing as a message and applies 
said master key as the encryption key. 30 

63. The data processing method according to Claim 
62, characterized in that said encryption process- 
ing is encryption processing using a DES algorithm. 

35 

64. A data processing method in a data processing 
system comprising: 

a contents data providing apparatus that sup- 
plies contents data; and 40 
a contents data utilization apparatus that utiliz- 
es the contents data, characterized in that 
said contents data providing apparatus gener- 
ates a contents data distribution key based on 
a distribution key generation master key for 45 
generating a contents data distribution key 
used for encryption processing on contents da- 
ta and a contents identifier, which is the identi- 
fier of the provided contents data and executes 
encryption processing on said contents data, so 
and 

said contents data utilization apparatus gener- 
ates a contents data distribution key based on 
said distribution key generation master key and 
a contents identifier, which is the identifier of the 55 
provided contents data and executes decryp- 
tion processing on said contents data. 



65. The data processing method according to Claim 
54, characterized in that said contents data pro- 
viding apparatus has a plurality of different distribu- 
tion key generation master keys to generate a plu- 
rality of different contents data distribution keys, 
generates a plurality of different contents data dis- 
tribution keys based on said plurality of distribution 
key generation master keys and said contents iden- 
tifier, executes encryption processing using said 
plurality of distribution keys generated and gener- 
ates encryption contents data of a plurality of types, 
and 

said contents data utilization apparatus has at 
least one distribution key generation master 
key of the plurality of different distribution key 
generation master keys owned by said con- 
tents data providing apparatus and decrypts 
only encryption contents data by a distribution 
key generated using the same distribution key 
generation master key as the distribution key 
generation master key owned by the own ap- 
paratus. 

66. A data processing method in a data processing 
system configured by a plurality of data processing 
apparatuses comprising: 

a step of storing, by data processing apparatus 
A, which is one of said plurality of data process- 
ing apparatuses, in a storage medium contents 
data encrypted using a contents key generated 
based on a contents key generation master key 
to generate a contents key used for encryption 
processing of contents data and the apparatus 
identifier of said data processing apparatus A; 
a step of generating the same contents key as 
said contents key by different data processing 
apparatus B based on the same said contents 
key generation master key as that of said data 
processing apparatus A and the apparatus 
identifier of said data processing apparatus A; 
and 

a step of decrypting the contents data stored in 
said storage medium using the contents key 
generated by said data processing apparatus 
B. 

67. A data processing method in a data processing 
system comprising: 

a host device; and 

a slave device subject to authentication 
processing by said host device, characterized 
in that 

said slave device generates an authentication 
key based on an authentication key generation 
master key to generate an authentication key 



90 



BMSDOCID: <EP. 



.1195734A1J_> 



/ , * •> « 179 EP 1 195 734 A1 180 



used for authentication processing between the 
host device and slave device and a slave de- 
vice identifier, which is the identifier of said 
slave device and stores the authentication key 
generated in memory in said slave device, and 5 
said host device generates an authentication 
key based on said authentication key genera- 
tion master key and slave device identifier, 
which is the identifier of said slave device and 
executes authentication processing. io 

68. A program providing medium that supplies a 
computer program to execute encryption process- 
ing of at least one of data encryption, data decryp- 
tion, data verification, authentication processing is 
and signature processing on a computer system, 
said computer program comprising: 

a key generating step of generating individual 
keys necessary to execute said encryption 20 
processing based on said master keys to gen- 
erate the keys used for said encryption 
processing and identification data of the appa- 
ratus or data subject to encryption processing; 
and 25 
an encryption processing step of executing en- 
cryption processing based on the keys gener- 
ated in said key generating step. 

69. A data processing apparatus that processes 30 
contents data supplied from a storage medium or 
communication medium, comprising: 

a storage section that stores data processing 
apparatus identifiers; 35 
a list verification section that extracts an illegal 
device list included in the contents data and ex- 
ecutes collation between entries of said list and 
said data processing apparatus identifiers 
stored in said storage section; and 4 0 
a control section that stops executing process- 
ing of at least either one of reproduction of said 
contents data or processing of storage in a re- 
cording device when the result of the collation 
processing in said collation processing section -*5 
shows that said illegal device list includes infor- 
mation that matches said data processing iden- 
tifiers. 

70. The data processing apparatus according to 50 
Claim 69, characterized in that said list verification 
section comprises an encryption processing sec- 
tion that executes encryption processing on said 
contents data; and 

55 

said encryption processing section verifies the 
presence or absence of tampering in said illegal 
device list based on check values of the illegal 



device list included in said contents data and 
executes said collation processing only when 
said verification proves no tampering. 

71. The data processing apparatus according to 
Claim 70, further comprising an illegal device list 
check value generation key : characterized in that 
said encryption processing section executes en- 
cryption processing applying said illegal device list 
check value generation key to illegal device list con- 
figuration data to be verified, generates illegal de- 
vice list check values, executes collation between 
said illegal device list check values and the illegal 
device list check values included in said contents 
data and thereby verifies the presence or absence 
of tampering in said illegal device list. 

72. The data processing apparatus according to 
Claim 69 . characterized in that 

said list verification section comprises an en- 
cryption processing section that executes en- 
cryption processing on said contents data; and 
said encryption processing section executes 
decryption processing of the encrypted illegal 
device list included in said contents data and 
executes said collation processing on the ille- 
gal device list resulting from said decryption 
processing. 

73. The data processing apparatus according to 
Claim 69 : characterized in that 

said list verification section comprises an en- 
cryption processing section that executes mu- 
tual authentication processing with a recording 
device to/from which contents data is trans- 
ferred; and 

said list verification section extracts the illegal 
device list included in said contents data and 
executes collation with said data processing 
apparatus identifiers stored in said storage sec- 
tion on condition that authentication with said 
recording device has been established through 
mutual authentication processing executed by 
said encryption processing section. 

74. A data processing method that processes con- 
tents data supplied from a storage medium or com- 
munication medium, comprising: 

a list extracting step of extracting an illegal de- 
vice list included in the content data; 
a collation processing step of executing colla- 
tion between entries included in the list extract- 
ed in said list extracting step and said data 
processing apparatus identifiers stored in a 
storage section in the data processing appara- 
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tus; and 

a step of stopping execution of processing of at 
least either one of reproduction of said contents 
data or processing of storage in a recording de- 
vice when the result of the collation processing s 
in said collation processing step shows that 
said illegal device list includes information that 
matches said data processing identifiers. 

75. The data processing method according to Claim io 

74, further comprising a verification step of verifying 
the presence or absence of tampering in said illegal 
device list based on check values of the illegal de- 
vice list included in said contents data, 

characterized in that said collation process- 15 
ing step executes collation processing only when 
said verification step proves no tampering. 

76. The data processing method according to Claim 

75, characterized in that said verification step 20 
comprising: 

a step of executing encryption processing ap- 
plying an illegal device list check value gener- 
ation key to illegal device list configuration data 25 
to be verified and generating illegal device list 
check values; and 

a step of executing collation between the illegal 
device list check values generated and the ille- 
gal device list check values included in said 30 
contents data and thereby verifying the pres- 
ence or absence of tampering in said illegal de- 
vice list. 

77. The data processing method according to Claim 35 
74, further comprising a decrypting step of execut- 
ing decrypting processing on the encrypted illegal 
device list included in said contents data, 

characterized in that said collation process- 
ing step executes said collation processing on the 40 
illegal device list resulting from said decrypting step. 

78. The data processing method according to Claim 
74, further comprising a mutual authentication 
processing step of executing mutual authentication *s 
processing with a recording device to/from which 
contents data is transferred, characterized in that 

said collation processing step executes said 
collation processing on condition that authenti- so 
cation with said recording device has been es- 
tablished through mutual authentication 
processing executed in said mutual authentica- 
tion processing step. 

55 

79. A contents data generation method that gener- 
ates contents data supplied from a storage medium 
or communication medium to a plurality of record- 



ers/reproducers, characterized in that an illegal 
device list whose component data comprises iden- 
tifiers of recorders/reproducers, which will be ex- 
cluded from the use of said contents data is stored 
as the header information of the contents data. 

80. The contents data generation method according 
to Claim 79, characterized in that illegal device list 
check values for a tampering check on said illegal 
device list are stored as the header information of 
the contents data. 

81 . The contents data generation method according 
to Claim 79, characterized in that said illegal de- 
vice list is encrypted and stored in the header infor- 
mation of the contents data. 

82. A program supply medium that supplies a com- 
puter program that allows a computer system to ex- 
ecute processing of contents data supplied from a 
storage medium or communication medium, said 
computer program comprising: 

a list extracting step of extracting an illegal de- 
vice list included in the contents data; 
a collation processing step of executing colla- 
tion between entries included in the list extract- 
ed in said list extracting step and said data 
processing apparatus identifiers stored in a 
storage section in the data processing appara- 
tus; and 

a step of stopping execution of processing of 
either one of reproduction of said contents data 
or processing of storage in a recording device 
when the result of the collation processing in 
said collation processing step shows that said 
illegal device list includes information that 
matches said data processing identifiers. 

83. A data processing apparatus that processes 
contents data supplied via a recording medium or 
communication medium, comprising: 

an encryption processing section that executes 
encryption processing on said contents data; 
a control section that executes control over said 
encryption processing section; 
a system common key used for encryption 
processing in said encryption processing sec- 
tion, which is common to other data processing 
apparatuses using said contents data; and 
at least one of an apparatus-specific key, which 
is specific to the data processing apparatus 
used for encryption processing in said encryp- 
tion processing section or an apparatus-specif- 
ic identifier to generate said apparatus-specific 
key, characterized in that 
said encryption processing section is config- 
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ured to perform encryption processing by ap- 
plying either one of said system common key 
or said apparatus -specific key according to the 
utilization mode of said contents data. 

84. The data processing apparatus according to 
Claim 83, characterized in that said encryption 
processing section executes encryption processing 
by applying either one of said system common key 
or said apparatus-specific key according to utiliza- 
tion restriction information included in said contents 
data. 

85. The data processing apparatus according to 
Claim 83, further comprising a recording device for 
recording contents data, characterized in that 

said encryption processing section, when im- 
posed with a utilization restriction that said con- 
tents data should be used only for the own data 
processing apparatus, generates data to be 
stored in said recording device by executing en- 
cryption processing using said apparatus-spe- 
cific key for said contents data; and 
in the case where said contents data is also 
made available to an apparatus other than the 
own data processing . apparatus, data to be 
stored in said recording device is generated by 
executing encryption processing using said 
system common key on said contents data. 

86. The data processing apparatus according to 
Claim 83, comprising a signature key Kdev specific 
to the data processing apparatus and a system sig- 
nature key Ksys common to a plurality of data 
processing apparatuses, characterized in that 

said encryption processing section, when said 
contents data is stored in said recording device 
imposed with a utilization restriction that said 
contents data should be used only for the own 
data processing apparatus, generates an ap- 
paratus-specific check value through encryp- 
tion processing applying said apparatus-specif- 
ic signature key Kdev to said contents data and, 
when said contents data is stored in said re- 
cording device with said contents data also 
made available to an apparatus other than the 
own data processing apparatus, generates an 
overall check value through encryption 
processing applying said system signature key 
Ksys to said contents data; and 
said control section performs control of storing 
either one of said apparatus-specific check val- 
ue generated by said encryption processing 
section or said overall check value together 
with said contents data in said recording de- 
vice. 



87. The data processing apparatus according to 
Claim 83, comprising a signature key Kdev specific 
to the data processing apparatus and a system sig- 
nature key Ksys common to a plurality of data 
5 processing apparatuses, characterized in that 

said encryption processing section, when con- 
tents data imposed with a utilization restriction 
that said contents data should be used only for 
10 the own data processing apparatus is repro- 

duced, generates an apparatus-specific check 
value applying said apparatus-specific signa- 
ture key Kdev to said contents data and exe- 
cutes collation processing on said apparatus- 
is specific check value generated and, when con- 
tents data also made available to an apparatus 
other than the own data processing apparatus 
is reproduced, generates an overall check val- 
ue through encryption processing applying said 
20 system signature key Ksys to said contents da- 
ta and performs collation processing on said 
overall check value generated; and 
said control section generates reproducible de- 
crypted data by continuing processing of con- 
25 tents data by the encryption processing section 
only when collation with said apparatus-specif- 
ic check value is established or when collation 
with said overall check value is established. 

30 88. The data processing apparatus according to 
Claim 83, comprising a recording data processing 
apparatus signature key master key MKdev and da- 
ta processing apparatus identifier IDdev, charac- 
terized in that 

35 

said encryption processing section generates 
a signature key Kdev as the data processing 
apparatus specific key through encryption 
processing based on said data processing ap- 
40 paratus signature key master key MKdev and 

said data processing apparatus identifier ID- 
dev. 

B9. The data processing apparatus according to 
45 Claim 88, characterized in that said encryption 
processing section generates said signature key 
Kdev through DES encryption processing applying 
said data processing apparatus signature key mas- 
ter key MKdev to said data processing apparatus 
50 identifier IDdev. 

90. The data processing apparatus according to 
Claim 83, characterized in that said encryption 
processing section generates an intermediate in- 
55 tegrity check value by executing encryption 
processing on said contents data and executes en- 
cryption processing applying said data processing 
apparatus specific key or system common key to 
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said intermediate integrity check value. 

91. The data processing apparatus according to 
Claim 90, characterized in that said encryption 
processing section generates a partial integrity 5 
check value through encryption processing on a 
partial data set containing at least one partial data 
item obtained by dividing said contents data into a 
plurality of parts and generates an intermediate in- 
tegrity check value through encryption processing 10 
on a partial integrity check value set data string con- 
taining said partial integrity check value generated. 

92. A data processing method that processes con- 
tents data supplied via a recording medium or com- is 
munication medium, characterized by selecting ei- 
ther one of an encryption processing system com- 
mon key common to other data processing appara- 
tuses using said contents data or an apparatus-spe- 
cific key, which is specific to the data processing ap- 20 
paratus according to the utilization mode of said 
contents data; and 

executing encryption processing by applying 
the selected encryption processing key to said 25 
contents data. 

93. The data processing method according to Claim 
92, characterized in that said encryption process- 
ing key selecting step is a step of selecting accord- 30 
ing to utilization restriction information contained in 
said contents data. 

94. The data processing method according to Claim 

92, characterized in that the processing of storing 35 
contents data in the recording device, when im- 
posed with a utilization restriction that said contents 
data should be used only for the own data process- 
ing apparatus, generates data to be stored in said 
recording device by executing encryption process- 40 
ing applying said apparatus-specific key to said 
contents data; and 

in the case where said contents data is also 
made available to an apparatus other than the 45 
own data processing apparatus, data to be 
stored in said recording device is generated by 
executing encryption processing using said 
system common key on said contents data. 

so 

95: The data processing method according to Claim 
92, characterized in that when said contents data 
is stored in said recording device imposed with a 
utilization restriction that said contents data should 
be used only for the own data processing appara- 55 
tus, the processing of recording contents data in the 
recording device generates an apparatus-specific 
check value through encryption processing apply- 



ing said apparatus-specific signature key Kdev to 
said contents data and, when said contents data is 
stored in said recording device with said contents 
data also made availableto an apparatus otherthan 
the own data processing apparatus, generates an 
overall check value through encryption processing 
applying said system signature key Ksys to said 
contents data; and 

either one of said apparatus-specific check val- 
ue generated or said overall check value is 
stored together with said contents data in said 
recording device. 

96. The data processing method according to Claim 
92, characterized in that when contents data im- 
posed with a utilization restriction that said contents 
data should be used only for the own data process- 
ing apparatus is reproduced, the contents data re- 
producing processing generates an apparatus -spe- 
cific check value through encryption processing ap- 
plying said apparatus-specific signature key Kdev 
to said contents data and executes collation 
processing on said apparatus-specific check value 
generated and, when contents data imposed with a 
utilization restriction that the contents data is also 
made available to an apparatus otherthan the own 
data processing apparatus is reproduced, gener- 
ates an overall check value through encryption 
processing applying said system signature key 
Ksys to said contents data and performs collation 
processing on said overall check value generated; 
and 

contents data is reproduced only when collation 
with said apparatus-specific check value is es- 
tablished or when collation with said overall 
check value is established. 

97. The data processing method according to Claim 
92, further comprising a step of generating a signa- 
ture key Kdev as the data processing apparatus 
specific key through encryption processing based 
on data processing apparatus signature key master 
key MKdev and data processing apparatus identifi- 
er IDdev. 

98. The data processing method according to Claim 
97, characterized in that said signature key Kdev 
generating step is a step of generating said signa- 
ture key Kdev through DES encryption processing 
applying said data processing apparatus signature 
key master key MKdev to said data processing ap- 
paratus identifier IDdev. 

99. The data processing method according to Claim 
92, further comprising a step of generating an inter- 
mediate integrity check value by executing encryp- 
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tion processing on said contents data, character- 
ized by executing encryption processing applying 
said data processing apparatus specific key or sys- 
tem common key to said intermediate integrity 
check value. 5 

100. The data processing method according to 
Claim 99, characterized by further generating a 
partial integrity check value through encryption 
processing on a partial data set containing at least 10 
one partial data item obtained by dividing said con- 
tents data into a plurality of parts and generating an 
intermediate integrity check value through encryp- 
tion processing on a partial integrity check value set 
data string containing said partial integrity check *5 
value generated. 

101 . A program supply medium that supplies a com- 
puter program allowing a computer system to exe- 
cute data processing that processes contents data 20 
supplied via a recording medium or communication 
medium, said computer program comprising the 
steps of: 

selecting either encryption processing key, an 25 
encryption processing system common key 
common to other data processing apparatuses 
using said contents data or an apparatus-spe- 
cific key, which is specific to the data process- 
ing apparatus according to the utilization mode 30 
of said contents data; and 
executing encryption processing applying the 
selected encryption processing key to said con- 
tents data. 

35 

102. A data processing apparatus that processes 
contents data supplied via a recording medium or 
communication medium, comprising: 

an encryption processing section that executes *o 
encryption processing on said contents data; 
and 

a control section that executes control over said 
encryption processing section, characterized 
in that 45 
said encryption processing section is config- 
ured to generate a contents check value in units 
of contents block data to be verified included in 
the data, execute collation on the contents 
check value generated and thereby execute 50 
verification processing on the validity of each 
contents block data in said data. 

103. The data processing apparatus according to 
Claim 1 02, comprising a contents check value gen- 55 
eration key, characterized in that said encryption 
processing section generates a contents intermedi- 
ate value based on contents block data to be veri- 



fied and generate a contents check value by exe- 
cuting encryption processing applying said con- 
tents check value generation key to said contents 
intermediate value. 

104. The data processing apparatus according to 
Claim 103, characterized in that when the con- 
tents block data to be verified is encrypted, said en- 
cryption processing section generates a contents 
intermediate value by executing predetermined op- 
eration processing on an entire decrypted state- 
ment obtained through decryption processing of 
said contents block data in units of a predetermined 
number of bytes, and when the contents block data 
to be verified is not encrypted, generates a contents 
intermediate value by executing predetermined op- 
eration processing on the eniire contents biock data 
in units of a predetermined number of bytes. 

105. The data processing apparatus according to 
Claim 104, characterized in that said predeter- 
mined operation processing applied in said interme- 
diate integrity check value generation processing 
by said encryption processing section is an exclu- 
sive-OR operation. 

106. The data processing apparatus according to 
Claim 104, characterized in that said encryption 
processing section has an encryption processing 
configuration in CBC mode and said decryption 
processing applied to the content intermediate val- 
ue generation processing when the contents block 
data to be verified is decryption processing in CBC 
mode. 

107. The data processing apparatus according to 
Claim 106, characterized in that the encryption 
processing configuration in CBC mode of said en- 
cryption processing section is a configuration in 
which common key encryption processing is ap- 
plied a plurality of times only to part of a message 
string to be processed. 

108. The data processing apparatus according to 
Claim 102, characterized in that when the con- 
tents block data contains a plurality of parts and 
some parts included in said contents block data are 
to be verified, said encryption processing section 
generates a contents check value based on the 
parts to be verified, executes collation processing 
on the contents check value generated and thereby 
executes verification processing on the validity in 
units of content block data in said data. 

109. The data processing apparatus according to 
Claim 108, characterized in that when said con- 
tents block data contains a plurality of parts and it 
is one part that needs to be verified, said encryption 
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processing section generates a contents check val- 
ue by executing encryption processing applying the 
contents check value generation key to a value ob- 
tained by carrying out an exclusive-OR in units of a 
predetermined number of bytes on the entire de- 5 
crypted statement obtained by decryption process- 
ing of parts to be verified in the case where said 
parts to be verified is encrypted, and generates a 
contents check value by executing encryption 
processing applying said contents check value gen- 10 
eration key to a value obtained by carrying out an 
exclusive-OR in units of a predetermined number 
of bytes on said entire part to be verified in the case 
where said parts to be verified is not encrypted. 

75 

110. The data processing apparatus according to 
Claim 108, characterized in that when said con- 
tents block data contains a plurality of parts and it 
is a plurality of parts that needs to be verified, said 
encryption processing section uses, as a contents 20 
check value, the result obtained by executing en- 
cryption processing applying said contents check 
value generation key to fink data of a parts check 
value obtained by executing encryption processing 
applying a contents check value generation key to 25 
each part. 

111. The data processing apparatus according to 
Claim 102, characterized in that said encryption 
processing section further comprises a recording 30 
device for storing contents data containing contents 
block data whose validity has been verified. 

112. The data processing apparatus according to 
Claim 111, characterized in that when collation is 35 
not established in the collation processing on a con- 
tents check value in said encryption processing 
section, said control section stops storage in said 
recording device. 

40 

113. The data processing apparatus according to 
Claim 102, characterized in that said encryption 
processing section further comprises a reproduc- 
tion processing section for reproducing data whose 
validity has been verified. 45 

114. The data processing apparatus according to 
Claim 113, characterized in that when collation is 
not established in the collation processing on a con- 
tents check value in said encryption processing 50 
section, said control section stops reproduction 
processing in said reproduction processing section. 

1 1 5. A data processing method that processes con- 
tents data supplied via a recording medium or com- 55 
munication medium, characterized by generating 

a contents check value in units of contents block 
data to be verified included in the data, executing 



collation on the contents check value generated 
and thereby executing verification processing on 
the validity in units of contents block data in said 
data. 

116. The data processing method according to 
Claim 1 1 5, characterized by generating a contents 
intermediate value based on contents block data to 
be verified and generating a contents check value 
by executing encryption processing applying said 
contents check value generation key to said con- 
tents intermediate value generated. 

117. The data processing method according to 
Claim 115, characterized by generating, when the 
contents block data to be verified is encrypted, a 
contents intermediate value by executing predeter- 
mined operation processing on an entire decrypted 
statement obtained through decryption processing 
of said contents block data in units of a predeter- 
mined number of bytes, and generating, when the 
contents block data to be verified is not encrypted, 
a contents intermediate value by executing prede- 
termined operation processing on the entire con- 
tents block data in units of a predetermined number 
of bytes. 

118. The data processing method according to 
Claim 117, characterized in that said predeter- 
mined operation processing applied in said interme- 
diate integrity check value generation processing is 
an exclusive-OR operation. 

119. The data processing method according to 
Claim 117, characterized in that in said contents 
intermediate value generation processing, said de- 
cryption processing applied to the content interme- 
diate value generation processing when the con- 
tents block data to be verified is encrypted is de- 
cryption processing in CBC mode. 

120. The data processing method according to 
Claim 119, characterized in that in said decryption 
processing configuration in CBC mode, common 
key encryption processing is applied a plurality of 
times only to part of a message string to be proc- 
essed. 

121. The data processing method according to 
Claim 115, characterized by generating, when the 
contents block data contains a plurality of parts and 
some parts included in said contents block data are 
to be verified, a contents check value based on the 
parts to be verified, executing collation processing 
on the contents check value generated and thereby 
executing verification processing on the validity in 
units of content block data in said data. 
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122. The data processing method according to 
Claim 121 , characterized by generating, when the 
contents block data contains a plurality of parts and 
it is one part that needs to be verified, a contents 
check value by executing encryption processing ap- 5 
plying the contents check value generation key to a 
value obtained by carrying out an exclusive-OR in 
units of a predetermined number of bytes on the en- 
tire decrypted statement obtained by decryption 
processing of parts to be verified in the case where io 
said part to be verified is encrypted, and generating 

a contents check value by executing encryption 
processing applying said contents check value gen- 
eration key to a value obtained by carrying out an 
exclusive-OR in units of a predetermined number 15 
of bytes on said entire part to be verified in the case 
where said part to be verified is not encrypted. 

123. The data processing method according to 
Claim 1 21 , characterized by using, when said con- 20 
tents block data contains a plurality of parts and it 

is a plurality of parts that needs to be verified, as a 
contents check value, the result obtained by exe- 
cuting encryption processing further applying said 
contents check value generation key to link data of 25 
a parts check value obtained by executing encryp- 
tion processing applying the contents check value 
generation key to each part. 

124. The data processing method according to 30 
Claim 1 1 5, further comprising a step of storing con- 
tents data containing contents block data whose va- 
lidity has been verified. 

125. The data processing method according to 35 
Claim 124, characterized in that when collation is 

not established in the collation processing on a con- 
tents check value, said control section stops stor- 
age in said recording device. 

40 

126. The data processing method according to 
Claim 1 1 5, further comprising a step of reproducing 
data whose validity has been verified. 

127. The data processing method according to 45 
Claim 1 26, characterized by stopping reproduction 
processing when collation is not established in the 
collation processing on a contents check value. 

128. A contents data verification value assignment so 
method for contents data verification processing, 
characterized by generating a contents check val- 
ue in units of contents block data to be verified in- 
cluded in the data, assigning the contents check 
value generated to contents data containing the 55 
contents block data to be verified. 

129. The contents data verification value assign- 



ment method according to Claim 128, character- 
ized in that said contents check value is generated 
through encryption processing applying the con- 
tents check value generation key using the contents 
block data to be checked as a message. 

130. The contents data verification value assign- 
ment method according to Claim 128, character- 
ized in that said contents check value is generated 
by generating a contents intermediate value based 
on the contents block data to be verified and exe- 
cuting encryption processing applying said con- 
tents check value generation key to said contents 
intermediate value. 

131. The contents data verification value assign- 
ment method according to Claim 128, character- 
ized in that said contents check value is generated 
by executing encryption processing in CBC mode 
on the contents block data to be verified. 

132. The contents data verification value assign- 
ment method according to Claim 131, character- 
ized in that said encryption processing configura- 
tion in CBC mode is a configuration in which com- 
mon key encryption processing is applied a plurality 
of times only to part of a message string to be proc- 
essed. 

133. The contents data verification value assign- 
ment method according to Claim 128, character- 
ized by generating, when the contents block data 
contains a plurality of parts and some parts included 
in said contents block data are to be verified, a con- 
tents check value based on the parts to be verified 
and assigning the contents check value generated 
to contents data containing the content block data 
to be verified. 

134. The contents data verification value assign- 
ment method according to Claim 133, character- 
ized by generating, when said contents block data 
contains a plurality of parts and it is one part that 
needs to be verified, a contents check value by ex- 
ecuting encryption processing applying the con- 
tents check value generation key to a value ob- 
tained by carrying out an exclusive-OR in units of a 
predetermined number of bytes on the entire de- 
crypted statement obtained by decryption process- 
ing of parts to be verified in the case where said 
parts to be verified is encrypted, generating a con- 
tents check value by executing encryption process- 
ing applying said contents check value generation 
key to a value obtained by carrying out an exclu- 
sive-OR in units of a predetermined number of 
bytes on said entire part to be verified in the case 
where said parts to be verified is not encrypted and 
assigning the contents check value generated to 
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the contents data containing the contents block da- 
ta to be verified. 

135. The contents data verification value assign- 
ment method according to Claim 133, character- 5 
ized by using, when said contents block data con- 
tains a plurality of parts and it is a plurality of parts 
that needs to be verified, as a contents check value, 
the result obtained by executing encryption 
processing further applying said contents check io 
value generation key to link data of a parts check 
value obtained by executing encryption processing 
applying the contents check value generation key 

to each part and assigning the contents check value 
generated to contents data containing the contents 15 
block data to be verified. 

1 36. A program supply medium that supplies a com- 
puter program to execute data processing on con- 
tents data supplied via a recording medium or com- 20 
munication medium, said computer program com- 
prising: 

a step of generating a contents check value in 
units of contents block data to be verified in- 25 
eluded in the data; and 

a step of executing collation processing on the 
contents check value generated and thereby 
executing verification processing on the validity 
in units of contents block data in said data. 30 



138. A data processing apparatus for executing 
processing for generating storing data with respect 
to a recording device of content data, which has a 
plurality of content blocks in which at least a part of 
the blocks are encrypted and a header section stor- 
ing information on the contents blocks, character- 
ized in that: 

in the case in which said content block included 
in content data to be an object of storage with 
respect to said recording device is composed 
of contents encrypted by an encryption key 
Kblc and encryption key data Kcon[Kblc] that is 
encrypted by the encryption key Kcon, and has 
a structure in which encryption key data Kdis 
[Kcon] that is the encryption key Kcon applied 
encryption processing by an encryption key 
Kdis is stored in said header section, 
said data processing apparatus has a structure 
for executing processing for taking out said en- 
cryption key data Kdis[Kcon] from said header 
section and executing decryption processing to 
generate decryption data Kcon, generating a 
new encryption key data Kstr[Kcon] that is ap- 
plied encryption processing by an encryption 
key Kstr and storing the encryption key data 
Kstr[Kcon] in the header section of said content 
data, and applying a different encryption key 
Kstr to the generated decryption data Kcon to 
execute decryption processing. 



137. A data processing apparatus for executing 
processing for generating storing data with respect 
to a recording device of content data, which has a 
plurality of content blocks in which at least a part of 35 
the blocks are encrypted and a header section stor- 
ing information on the contents blocks, character- 
ized in that: 



139. A data processing apparatus for executing 
processing for generating storing data with respect 
to a recording device of content data, which has a 
plurality of content blocks in which at least a part of 
the blocks are encrypted and a header section stor- 
ing information on the contents blocks, character- 
ized in that: 



in the case in which content data to be an object 40 
of storage in said recording device is structured 
by data stored in said header section, which is 
an encryption key data Kdis[Kcon]that is an en- 
cryption key Kcon of said content block applied 
encryption processing by an encryption key *s 
Kdis, 

said data processing apparatus has a structure 
for executing processing for taking out said en- 
cryption key data Kdis[Kcon] from said header 
section and executing decryption processing to so 
generate decryption data Kcon, generating a 
new encryption key data Kstr[Kcor.] that is ap- 
plied encryption processing by an encryption 
key Kstr and storing the new encryption key da- 
ta Kstr[Kcon] in the header section of said con- 55 
tent data, and applying a different encryption 
key Kstr to the generated decryption data Kcon 
to execute decryption processing. 



in the case in which said content block included 
in content data to be an object of storage with 
respect to said recording device is composed 
of contents encrypted by an encryption key 
Kblc and encryption key data KdisfKblc] that is 
encrypted by the encryption key Kdis, 
said data processing apparatus has a structure 
for executing processing for taking out said en- 
cryption key data Kdis[Kblc] from said content 
block section and executing decryption 
processing of the encryption key Kblc to gener- 
ate decryption data Kblc, generating an encryp- 
tion key data KstrfKblc] that is applied encryp- 
tion processing by an encryption key Kstr and 
storing the encryption key data Kstr[Kblc] in a 
contents block section, and applying a different 
encryption key Kstr to the generated decryption 
data Kblc to execute decryption processing. 
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140. A content data generating method for gener- 
ating content data, comprising: 

coupling a plurality of content blocks composed 
of data including at least any one of voice infor- 5 
mation, image information and program data; 
applying encryption processing to at least a part 
of content blocks included in said plurality of 
content blocks by an encryption key Kcon; 
generating encryption key data Kdis[Kcon] that 10 
is said encryption key Kcon applied encryption 
processing by an encryption key Kdis and stor- 
ing the encryption key Kdis in a header section 
of said content data; and 

generating content data including said plurality '5 
of content blocks and the header section. 

141. The content data generating method accord- 
ing to Claim 140, characterized in that said con- 
tent data generating method further comprises 20 
processing of: 

generating block information that stores infor- 
mation including; 

identification information on content data; 25 
usage policy information including a data length 
- of the content data and a data type of the con- 
tent data; and 

information including a data length of said con- 
tent block and presence or absence of encryp- 30 
tion processing, and 

storing the information in said header section. 

142. The content data generating method accord- 
ing to Claim 140, characterized in that said con- 35 
tent data generating method further comprises 
processing of: 

generating a part check value based on a part 
of information composing said header section 
and storing the part check value in said header 
section; and 

generating a total check value based on said 
part check value and storing the total check val- 
ue in said header section. 45 

143. The content data generating method accord- 
ing to Claim 142, characterized in that generation 
processing of said part check value and generation 
processing of said total check value are executed so 
by applying a DES encryption processing algorithm 
with data to be an object of check as a message 
and a check value generation key as an encryption 
key. 

55 

144. The content data generating method accord- 
ing to Claim 141, characterized in that said con- 
tent data generating method further comprises: 



applying encryption processing to said block in- 
formation by the encryption key Kbit and storing 
the encryption key data Kdis[Kbit] that is the en- 
cryption key Kbit generated by the encryption 
key Kdis in said header section. 

145. The content data generating method accord- 
ing to Claim 140, characterized in that each block 
of a plurality of blocks in said content block is gen- 
erated as a common fixed data length. 

146. The content data generating method accord- 
ing to Claim 140, characterized in that each block 
of a plurality of blocks in said content block is gen- 
erated as a configuration in which an encryption da- 
ta section and a non-encryption data section are ar- 
ranged regularly. 

147. A content data generating method for gener- 
ating content data comprising: 

coupling a plurality of content blocks including 
at least any one of voice information, image in- 
formation and program data; 
composing at least a part of the plurality of con- 
tent blocks by an encryption data section that 
is data including at least any one of voice infor- 
mation, image information and program data by 
an encryption key Kblc, and a set of encryption 
key data Kcon[Kblc] that is the encryption key 
Kblc of the encryption data section applied en- 
cryption processing by an encryption key Kcon; 
generating encryption key data Kdis[Kcon] that 
is the encryption key Kcon applied encryption 
processing by an encryption key Kdis and stor- 
ing the generated the encryption key data Kdis 
[Kcon] in a header section of said content data; 
and 

generating content data including a plurality of 
content blocks and a header section. 

148. A content data generating method for gener- 
ating content data comprising: 

coupling a plurality of content blocks including 
at least any one of voice information, image in- 
formation and program data; 
composing at least a part of the plurality of con- 
tent blocks, by an encryption data section that 
is data including at least any one of voice infor- 
mation, image information and program data by 
an encryption key Kblc, and a set of encryption 
key data Kdis[Kblc] that is the encryption key 
Kblc of the encryption data section applied en- 
cryption processing by an encryption key Kdis; 
and 

generating content data including a plurality of 
content blocks and a header section. 
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149. A data processing method for executing 
processing for storing in a recording device of con- 
tent data having a plurality of content blocks in 
which at least a part of blocks are encrypted, and a 
header section in which information on the content 5 
blocks is stored, comprising: 

in the case in which content data to be an object 
of storage in said recording device is structured 
by data stored in said header section, which is 10 
an encryption key data Kdis[Kcon] that is an en- 
cryption key Kcon of said content block applied 
encryption processing by an encryption key 
Kdis, 

taking out said encryption key data Kdis[Kcon] is 
from said header section and executing decryp- 
tion processing to generate decryption data 
Kcon; 

generating a new encryption key data Kstr 
[Kcon] that is applied encryption processing by 20 
an encryption key Kstr by applying a different 
encryption key Kstr to the generated decryption 
data Kcon to execute encryption processing; 
and 

storing said generated encryption key data Kstr 25 
[Kcon] in a header section of said content data, 
and storing the header section in said recording 
device together with said plurality of content 
blocks. 

30 

150. A data processing method for executing 
processing for storing in a recording device of con- 
tent data having a plurality of content blocks in 
which at least a part of blocks are encrypted, and a 
header section in which information on the content 35 
blocks is stored, comprising: 

in the case in which said content block included 
in content data to be an object of storage with 
respect to said recording device is composed *o 
of contents encrypted by an encryption key 
Kblc and encryption key data KconfKblc] that is 
encrypted by the encryption key Kcon, and has 
a structure in which encryption key data Kdis 
[Kcon] that is the encryption key Kcon applied 45 
encryption processing by an encryption key 
Kdis is stored in said header section, 
taking out said encryption key data Kdis[Kcon] 
from said header section and executing decryp- 
tion processing to generate decryption data so 
Kcon; 

generating a new encryption key data Kstr 
[Kcon] that is applied encryption processing by 
an encryption key Kstr by applying a different 
encryption key Kstr to the generated decryption 55 
data Kcon to execute encryption processing; 
and 

storing said generated encryption key data Kstr 



[Kcon] in a header section of said content data, 
and storing the header section in said recording 
device together with said plurality of content 
blocks. 

151. A data processing method for executing 
processing for storing in a recording device of con- 
tent data having a plurality of content blocks in 
which at least a part of blocks are encrypted, and a 
header section in which information on the content 
blocks is stored, comprising: 

in the case in which said content block included 
in content data to be an object of storage with 
respect to said recording device is composed 
of contents encrypted by an encryption key 
Kblc and encryption key data Kdis[Kblc] that is 
encrypted by the encryption key Kdis, 
taking out said encryption key data Kdis[Kblc] 
from said content block section and executing 
decryption processing of the encryption key 
Kblc to generate decryption data Kblc; 
generating an encryption key data KstrfKblc] 
that is applied encryption processing by an en- 
cryption key Kstr by applying a different encryp- 
tion key Kstr to the generated decryption data 
Kblc to execute encryption processing; and 
storing said generated encryption key data Kstr 
[Kblc] in a content block sect ion, and storing the 
content block section in said recording device 
together with said plurality of content blocks. 

152. A program providing medium for providing a 
computer program causing generation processing 
of storing data with respect to a recording device of 
content data, which has a plurality of content blocks 
in which at least a part of the blocks are encrypted 
and a header section storing information on the con- 
tents blocks, to be executed on a computer system, 
characterized in that: 

said computer program comprises: 

in the case in which content data to be an 
object of storage in said recording device 
is structured by data stored in said header 
section, which is an encryption key data 
Kdis[Kcon] that is an encryption key Kcon 
of said content block applied encryption 
processing by an encryption key Kdis, 
a step of taking out said encryption key da- 
ta Kdis[Kcon] from said header section and 
executing decryption processing to gener- 
ate decryption data Kcon; 
generating a new encryption key data Kstr 
[Kcon] that is applied encryption process- 
ing by an encryption key Kstr by applying 
a different encryption key Kstr to the gen- 
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erated decryption data Kcon to execute en- 
cryption processing; and 
storing said generated encryption key data 
KstrfKcon] in a header section of said con- 
tent data. 5 

153. A data processing apparatus for performing re- 
production processing of content data provided by 
a storage medium or a communication medium, 
characterized by comprising: 10 



a content data analyzing section for executing 
content data analysis of content data including 
compressed contents and an expansion 
processing program of said compressed con- 
tents, and executing extraction processing of 
the compressed contents and the expansion 
processing program from said content data; 
and 

an expansion processing section for executing 
expansion processing of the content data in- 
cluded in said content data using an expansion 
processing program included in the content da- 
ta obtained as a result of the analysis of said 
content data analyzing section. 



154. The data processing apparatus according to 
Claim 153, characterized by further comprising: 

a data storing section for storing the com- 
pressed contents that are extracted by said 
content data analyzing section; and 
a program storing section for storing the expan- 
sion processing program extracted by said con- 
tent data analyzing section, and characterized 
in that said expansion processing section has 
a configuration for executing expansion 
processing with respect to the compressed 
contents stored in said data storing section by 
applying the expansion processing program 
stored in said program storing section to the 
compressed contents. 

155. The data processing apparatus according to 
Claim 1 53, characterized in that said contents da- 
ta analyzing section has a configuration for obtain- 
ing a configuration information of content data 
based on header information included in said con- 
tent data and performing analysis of the content da- 
ta. 

156. The data processing apparatus according to 
Claim 155, characterized in that reproduction pri- 
ority information of the compressed contents is in- 
cluded in said header information and, if there are 
a plurality of compressed contents that is objects of 
expansion processing in said expansion processing 
section, said expansion processing section has a 
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configuration for sequentially executing content ex- 
pansion processing in accordance with the priority 
based on the priority information in the header in- 
formation obtained in said content data analyzing 
section. 

157. The data processing apparatus according to 
Claim 153, characterized by further comprising: 

displaying means for displaying information of 
the compressed contents that are objects of ex- 
pansion processing; and 
inputting means for inputting reproduction con- 
tents identification data selected from the con- 
tent information displayed on said displaying 
means, and characterized in that said expan- 
sion processing section has a configuration for 
executing expansion processing of the com- 
pressed contents corresponding to the identifi- 
cation data based on the reproduction contents 
identification data inputted from said inputting 
means. 

1 58. A data processing apparatus for performing re- 
production processing of content data provided by 
a storage medium or a communication medium, 
characterized by comprising: 

a content data analyzing section for receiving 
content data including either compressed con- 
tents or expansion processing program, distin- 
guishing whetherthe content data has the com- 
pressed contents or the expansion processing 
program from header information included in 
the received content data and, at the same 
time, if the content data has the compressed 
contents, obtaining a type of a compressing 
processing program applied to the compressed 
contents from the header information of the 
content data, and if the content data has the 
expansion processing program, obtaining a 
type of the expansion processing program from 
the header information of the content data; 
an expansion processing section for executing 
expansion processing of the compressed con- 
tents, characterized in that said expansion 
processing section has a configuration for se- 
lecting an expansion processing program ap- 
plicable to the type of the compression process- 
ing program of the compressed contents ana- 
lyzed by said content data analyzing section 
based on the type of the expansion processing 
program analyzed by said content data analyz- 
ing section, and executing expansion process- 
ing by the selected expansion processing pro- 
gram. 

159. The data processing apparatus according to 
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Claim 158, characterized by further comprising: 

a data storing section for storing the com- 
pressed contents that are extracted by said 
content data analyzing section; and 5 
a program storing section for storing the expan- 
sion processing program extracted by said con- 
tent data analyzing section, and characterized 
in that said expansion processing section has 
a configuration for executing expansion io 
processing with respect to the compressed 
contents stored in said data storing section by 
applying the expansion processing program 
stored in said program storing section to the 
compressed contents. 15 

160. The data processing apparatus according to 
Claim 158, characterized in that reproduction pri- 
ority information of the compressed contents is in- 
cluded in said header information and, if there are 20 
a plurality of compressed contents that is objects of 
expansion processing, content expansion process- 
ing in said expansion processing section has a con- 
figuration for sequentially executing content expan- 
sion processing in accordance with the priority 25 
based on the priority information in the header in- 
formation obtained in said content data analyzing 
section. 

161. The data processing apparatus according to 30 
Claim 158 ? characterized by further comprising re- 
trieving means for retrieving an expansion process- 
ing program, and characterized in that said re- 
trieving means has a configuration for retrieving an 
expansion processing program applicable to a type 35 
of the compression processing program of the com- 
pressed contents analyzed by said content data an- 
alyzing section with program storing means acces- 
sible by said data processing apparatus as an ob- 
ject of retrieval. 40 

162. The data processing apparatus according to 
Claim 158, characterized by further comprising: 

displaying means for displaying information of 
the compressed contents that are objects of ex- 
pansion processing; and 

inputting means for inputting reproduction con- 
tents identification data selected from the con- 
tent information displayed on said displaying so 
means, and characterized in that said expan- 
sion processing section has a configuration for 
executing expansion processing of the com- 
pressed contents corresponding to the identifi- 
cation data based on the reproduction contents 55 
identification data inputted from said inputting 
means. 
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163. A data processing method for performing re- 
production processing of content data provided by 
a storage medium or a communication medium, 
characterized by comprising: 

a content data analyzing step of executing con- 
tent data analysis of content data including 
compressed contents and an expansion 
processing program of said compressed con- 
tents, and executing extraction processing of 
the compressed contents and the expansion 
processing program from said content data; 
and 

an expansion processing step of executing ex- 
pansion processing of the compressed content 
included in said content data using an expan- 
sion processing program included in the con- 
tent data obtained as a result of the analysis of 
said content data analyzing step. 

164. The data processing method according to 
Claim 163, characterized by further comprising: 

a data storing step of storing the compressed 
contents that are extracted by said content data 
analyzing step; and 

a program storing step of storing the expansion 
processing program extracted by said content 
data analyzing section, and 

characterized in that said expansion processing 
section has a configuration for executing expansion 
processing with respect to the compressed con- 
tents stored in said data storing step by applying the 
expansion processing program stored in said pro- 
gram storing step to the compressed contents. 

165. The data processing method according to 
Claim 1 63, characterized in that said contents da- 
ta analyzing step obtains a configuration informa- 
tion of content data based on header information 
included in said content data and performs analysis 
of the content data. 

166. The data processing method according to 
Claim 165, characterized in that reproduction pri- 
ority information of the compressed contents is in- 
cluded in said header information and, if there are 
a plurality of compressed contents that is objects of 
expansion processing in said expansion processing 
section, said expansion processing step sequen- 
tially executes content expansion processing in ac- 
cordance with the priority based on the priority in- 
formation in the header information obtained in said 
content data analyzing step. 

167. The data processing method according to 
Claim 163, characterized by further comprising: 
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displaying step of displaying information of the 
compressed contents that are objects of expan- 
sion processing on displaying means; and 
inputting step of inputting reproduction con- 
tents identification data selected from the con- 5 
tent information displayed on said displaying 
means, and characterized in that said expan- 
sion processing step executes expansion 
processing of the compressed contents corre- 
sponding to the identification data based on the 10 
reproduction contents identification data input- 
ted from said inputting step. 

168. A data processing method for performing re- 
production processing of content data provided by is 
a storage medium or a communication medium, 
characterized by comprising: 

a content data analyzing step of receiving con- 
tent data including either compressed contents 20 
or expansion processing program, distinguish- 
ing whether the content data has the com- 
pressed contents or the expansion processing 
program from header information included in 
the received content data and, at the same 25 
time, if the content data has the compressed 
contents, obtaining a type of a compressing 
processing program applied to the compressed 
contents from the header information of the 
content data, and if the content data has the 30 
expansion processing program, obtaining a 
type of the expansion processing program from 
the header information of the content data; 
a selecting step of selecting an expansion 
processing program applicable to the type of 35 
the compression processing program of the 
compressed contents analyzed in said content 
data analyzing step based on the type of the 
expansion processing program analyzed in 
said content data analyzing step; and 40 
an expansion processing step of executing ex- 
pansion processing by the expansion process- 
ing program selected in said selecting step. 

169. The data processing method according to 45 
Claim 168, characterized by further comprising: 

a data storing step of storing the compressed 
contents that are extracted by said content data 
analyzing section; and 50 
' a program storing step of storing the expansion 
processing program extracted by said content 
data analyzing section, and 

characterized in that said expansion processing 55 
step executes expansion processing with respect 
to the compressed contents stored in said data stor- 
ing step by applying the expansion processing pro- 



gram stored in said program storing step to the com- 
pressed contents. 

170. The data processing method according to 
Claim 168, characterized in that reproduction pri- 
ority information of the compressed contents is in- 
cluded in said header information and, if there are 
a plurality of compressed contents that is objects of 
expansion processing, said content expansion 
processing step sequentially executes content ex- 
pansion processing in accordance with the priority 
based on the priority information in the header in- 
formation obtained in said content data analyzing 
step. 

171. The data processing method according to 
Claim 168, characterized by comprising a retriev- 
ing step of retrieving an expansion processing pro- 
gram, and characterized in that said retrieving 
step retrieves an expansion processing program 
applicable to a type of the compression processing 
program of the compressed contents analyzed in 
said content data analyzing step with program stor- 
ing means accessible by said data processing ap- 
paratus as an object of retrieval. 

172. The data processing method according to 
Claim 168, characterized by further comprising: 

a displaying step of displaying on displaying 
means information of the compressed contents 
that are objects of expansion processing; and 
an inputting step of inputting reproduction con- 
tents identification data selected from the con- 
tent information displayed on said displaying 
means, and characterized in that said expan- 
sion processing step executes expansion 
processing of the compressed contents corre- 
sponding to the identification data based on the 
reproduction contents identification data input- 
ted from said inputting means. 

173. A content data generating method for perform- 
ing generation processing of content data provided 
by a storage medium or a communication medium, 
characterized by generating content data in which 
compressed contents and an expansion processing 
program of the compressed contents are combined. 

174. The content data generating method accord- 
ing to Claim 173, characterized in that a configu- 
ration information of the content data is added as 
header information of said content data. 

175. The content data generating method accord- 
ing to Claim 173, characterized in that reproduc- 
tion priority information of contents included in the 
content data as header information of the content 
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176. A content data generating method for perform- 
ing generation processing of content data provided 

by a storage medium or a communication medium, 5 
characterized in that content data is generated in 
which a type of content data for identifying whether 
the content data has compressed contents or an ex- 
pansion processing program is added as header in- 
formation; 10 

if the content data has compressed contents, a 
type of a compression processing program ap- 
plied to the compressed contents is added as 
header information; and '5 
if the content data has an expansion processing 
program, a type of an expansion processing 
program is added as header information. 

177. The content data generating method accord- 20 
ing to Claim 176, characterized in that reproduc- 
tion priority information of contents included in the 
content data is added as header information of said 
content data. 

25 

178. A program providing medium for providing a 
computer program that causes a computer system 
to execute reproduction processing of content data 
provided by a storage medium or a communication 
medium, characterized by comprising: 30 

a content data analyzing step of executing con- 
tent data analysis of content data including 
compressed contents and an expansion 
processing program of said compressed con- 35 
tents, and executing extraction processing of 
the compressed contents and the expansion 
processing program from said content data; 
and 

an expansion processing step of executing ex- 40 
pansion processing of the content data includ- 
ed in said content data using an expansion 
processing program included in the content da- 
ta obtained as a result of the analysis of said 
content data analyzing section. 45 
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(11) EXAMPLE OF SAVE DATA STORAGE PROCESS USING USER PASSWORD OR 
k SYSTEM COMMON KEY 



C 



START SAVE DATA 
STORAGE PROCESS 



SB21 



READ OUT CONTENT ID (EX. GAME ID) 



^S822 

"USER PROGR/ 
LOCALIZATION TO BE 
JXECUTEB2- 

YES 



✓S823 



INPUT USER PASSWORD 



GENERATE SAVE DATA ENCRYPTION KEY Ksav 
BASED ON USER PASSWORD 




r ^ 


ENCRYPT SAVE DATA WITH SAVE DATA 
ENCRYPTION KEY Ksav 




r 


STORE ENCRYPTED 


1 


f ^ 


WRITE CONTENT ID (GAME ID) , RECORDING 
AND REPRODUCING DEVICE ID. AND USER 
PROGRAM LOCALIZATION (YES/NO) TO DATA 
MANAGING FILE 







S824 



S825 



S828 



READ SYSTB COMMON KEY 
(EX. SYSTEM SIGNATURE KEY 
Ksys) OUT FROM RECORDING 
AND REPRODUCING DEVICE AND 

GENERATE SAVE DATA 
ENCRYPTION KEY Ksav BASED 
ON SYSTEM COMMON KEY (EX. 
SYSTEM SIGNA TURE KEY) 

1 



S826 



S827 



C 



END SAVE DATA 
STORAGE PROCESS 



FIG. 83 
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(12) EXAMPLE OF. SAVE DATA REPRODUCTION PROCESS USING USER PASSWORD OR 

SYSTEM COMMON KEY 



C 



START SAVE DATA 
REPRODUCTION PROCESS 



J2± 



S831 



READ OUT CONTENT ID (EX. GAME ID) 



READ CONTENT ID (GAME ID) AND USER 
PROGRAM LOCALIZATION (YES/NO) OUT FROM 
DATA MANAGING FILE 



JS~ER PROGR/ 
LOCALIZATION TO BE 
EXECUTED^ 

YES 



/S834 



INPUT USER PASSWORD 


\ 




GENERATE SAVE DATA DECRYPTION KEY 
Ksav BASED ON USER PASSWORD 


) 




DECRYPT SAVE DATA WITH SAVE DATA 
DECRYPTION KEY Ksav 






REPRODUCE AND EXECUTE DECRYPTED DATA 
FROM RECORDING AND REPRODUCING DEVICE 




( 



✓S835 



/S836 



S836 



C 



END SAVE DATA 
REPRODUCTION PROCESS 



5 



S837 



READ SYSTEM COMMON KEY 
(EX. SYSTEM SIGNATURE KEY 
Ksys) OUT FROM RECORDING 
AND REPRODUCING DEVICE AND 

GENERATE SAVE DATA 
DECRYPTION KEY Ksav BASED 

ON SYSTEM COMMON KEY 
(EX. SYSTEM SIGNATURE KEY) 



FIG. 85 
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PROVIDE CONTENT FROM MEDIUM 
(DVD, CD, OR THE LIKE) 



C START ) 



PROVIDE CONTENT 
FROM NETWORK 

( START 3) 



S901 



REQUEST MEDIUM TO PROVIDE CONTENT 



^S911 



ESTABLISH COMMUNICATION SESSION 
WITH DEL I VERY, SERVICE SIDE 



OBTAIN REVOCATION LIST INFORMATION 


1 




r ^S9 


03 


EXECUTE REVOCATION LIST INTEGRITY 
CHECK VALUE ICVrev VERIFYING PROCESS 




,^/S9 05 



GENERATE INTERMEDIATE INTEGRITY 
CHECK VALUE ICVt' FROM REVOCATION 
LIST INTEGRITY CHECK VALUE ICVrev 
AND PARTIAL INTEGRITY CHECK VALUE 

IN CONTENT DATA TO EXECUTE 
NTERMEDIATE INTEGRITY CHECK VALUE 
VERIFYING PROCESS 




,S909 



S908 



( END ) 



START NORMAL PROCESS 
(EX. PROGRAM EXECUTING PROCESS) 



FIG. 87 
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PROVIDE CONTENT FROM RECORDING 
DEVICE (MEMORY CARD OR THE LIKE) 



( START ) 



S921 



MUTUAL AUTHENTICATION 
PROCESS (SEE FIG. 20) 




S923 



OBTAIN REVOCATION LIST INFORMATION 



S924 



EXECUTE REVOCATION LIST INTEGRITY 
CHECK VALUE ICVREV VERIFYING PROCESS 




S926 



GENERATE INTERMEDIATE INTEGRITY 
CHECK VALUE ICVt' FROM REVOCATION 
LIST INTEGRITY CHECK VALUE ICVrev 
AND PARTIAL INTEGRITY CHECK VALUE 

IN CONTENT DATA TO EXECUTE 
INTERMEDIATE INTEGRITY CHECK VALUE 
VERIFYING PROCESS 




START NORMAL PROCESS 
(EX. PROGRAM EXECUTING PROCESS) 

FIG. 88 
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SECURITY CHIP 
MANUFACTURING PROCESS FLOW 



( START ) 



S951 



SET DATA WRITE OR READ MODE 



T 



S952 



EXECUTE AUTHENTICATION 
PROCESS BASED ON CHIP STORAGE 
COMPLETION INFORMATION 




ABORT PROCESS 



3 



S956 



EXECUTE DATA 
WRITE PROCESS 



EXECUTE DATA 
READ PROCESS 



END DATA WRITE OR READ PROCESS 



FIG. 90 
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ABORT PROCESS 



J 



OUTPUT TO PROCESS SECTION. A COMMAND FOR 
WRITE OF SECRET DATA TO WRITE ONLY (WO) AREA 
AND OF CHECKING DATA TO READ AND WRITE (RW) 

AREA 



S964 



PROCESS SECTION WRITES SECRET DATA TO WRITE 
ONLY (WO) AREA AND CHECKS DATA TO READ AND 
WRITE (RW) AREA FOR EXECUTION 



C 



END DATA 
WRITE PROCESS 



FIG. 92 
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(sic 



START PROCESS FOR CHECKING 
SECRET DATA WRITTEN TO WR 
ONLY (WO) AREA 



I 



EN 

y 



S971 



PROCESS SECTION EXECUTES CRYPTOGRAPH 
PROCESS USING SECRET DATA WRITTEN 
TO WRITE ONLY (WO) AREA 



S972 



RECEIVE RESULT OF 
CRYPTOGRAPHY PROCESS 



^S973 



COMPARE RESULT OF CRYPTOGRAPHY 
PROCESS USING SECRET DATA (AFTER 
AUTHENTICATION) WRITTEN TO WRITE 
ONLY (WO) AREA WITH RESULT OF 
CRYPTOGRAPH PROCESS EXECUTED 
BY PROCESS SECTION 




ABORT PROCESS 



END DATA CHECKING 
PROCESS 



FIG. 93 
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Explanation of Reference Numerals 
106 . . .main CPU, 107 . . .RAM/ 108. ..ROM, 109 .. .AV process section, 
110. . .Input process section, 111...PIO, 112. ..SIO, 300. recording 
and reproducing device, 301. . .control section, 302 . . . cryptography 
process section, 303 ... recording device controller, 304... read 
section, 305. . .coiamunication section, 306 ... control section, 
307. . .internal memory, 308. . . encryption/ decryption section, 
400. . .recording device, 401 .cryptography process section, 
4 02 ... external memory, 403. . .control section, 404 ... communication 
section, 405. internal memory, 406 ... encryption/decryption 
section, 407 ... external memory control section, 500 .. .medium, 600 
communication means, 2101, 2102, 2103 . . .recording and reproducing 
device, 2104, 2105, 2106 ... recording device, 2901 ... command number 
managing section, 2902 .. .command register, 2903, 
2904 .. .authentication flag, 3001 ... speaker, 3002 .. .monitor , 
3090. . .memory, 3091 ... content analysis section, 3092... data 
storage section, 3093 .. .program storage section, 

3094 .compression decompression process section, 7701 ... content 
data, 7702. . .revocation list, 7703... list check value, 
8000. . .security chip, 8001 .. .process section, 8002 ... storage 
section, 8003... mode signal line, 8004 ... command signal line, 
8201... read write area, 8202... write only area. 
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The inventions of claims 1-16 , 18-33 relate to a technique for verifying partial 
data and partial data sets through an electronic signature; the inventions of 
claims 17 , 34 relate to a structure of a data processor having a verifying structure 
through an electronic signature; the inventions of claims 3 6-45 relate to a method 
for generating/ imparting an electronic signature; the inventions of claims 47-67 
relate to a data processor for performing encryption and electronic signature, 
a system structure, and a data processing method; the inventions of claims 69-78 
relate to a data processor and a data processing method complying with electronic 
signature protocols; the inventions of claims 80, 81 relate to a method for creating 
content data having a function of excluding an unauthorized terminal; the 
inventions of claims 83 -100 relate to a structure of a data processor; the inventions 
of claims 102-127 relate to a structure of a data processor having a structure 
for verifying an electronic signature of content data and a data processing method; 
the inventions of claims 128-135 relate to a method for creating/ imparting an 
electronic signature for processing content data; the inventions of claims 137-139 
relate to a data processor for performing encryption and electronic signature; 
the inventions of claims 140-151 relate to a method for creating content data 
which is encrypted and to which an electronic signature is imparted; and the 
inventions of claims 153-178 relate to a structure of a data processor for 
compressing/decompressing content data and a data processing method. The gists 
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inventive concept. 
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